On 3 May 2017, at 10:03, Issac Goldstand <mar...@beamartyr.net> wrote: > > +1 on the idea > > So far I'm -0 about all of the proposed implementations for 2 reasons: > > 1) Mr and Mrs normal (whom are our primary customers in the original > proposal) usually download Apache from their distro or some other > binary. Their Apache sources are usually not up-to-date, and in the > scenario that a new vulnerability is found it would take ages to > propagate to them, anyway > > 2) For those users who are comfortable building their own source, they ….
So how about ‘us’ taking the lead here. We, here, simply define ‘one’ setting as the industry best standard - which roughly corresponds to what ssllabs their test would get you an A+ and that pretty much meets or exceeds the various NIST et.al. recommendations for key lengths for the next 5 years. We’d wrap this into a simple policy document. Promise ourselfves that we’d check this every release and at least once a year review it. And have a small list of the versions currently meeting or exceeding our policy. And this is the setting you get when you do ‘SSLEngine On’. Everything else stays as is. Dw