On Fri, Aug 4, 2017 at 4:26 AM, Stefan Eissing
> I talked about some kind of SSL Policy definition in httpd's configuration
> in the past and am now about to get serious about it. Here is what I wan to
> Recap: the general idea is
> 2. Provide a set of already defined policies that either follow a public
> definition (like the Mozilla security classes) or express our idea of
> how configuration should look like.
I read this aspect at this as more of a weakness than a benefit.
OpenSSL is more likely to be promptly updated by our users than httpd
itself. Where ever httpd is overriding OpenSSL preferences, we will
simply be prolonging the use of discouraged policy.
If a cipher is changed upstream in OpenSSL from HIGH to MEDIUM
strength (or dropped entirely), due to the discovery of a weakness in
the cipher, I believe it is important for httpd to pick up on that signal
without upgrade or recompilation.