Here is my proposal for more semantic sugar.

It defines 3 new SSL* config directives:

- <SSLPolicy name>      to define a set of SSL* directives under a name
- SSLPolicy             merge the non-proxy parts of the policy into the 
current server config. local directives will override
- SSLProxyPolicy        merge the proxy parts of the policy into the current 
server config. local directives will override

There are atm 3 predefined policies: modern, intermediate, old (from 
https://wiki.mozilla.org/Security/Server_Side_TLS)

In order to apply them on TLS connections to the client, you configure

  SSLPolicy modern

in your server config or in a specific vhost. To affect the backend proxy 
connections, you may add:

  SSLProxyPolicy intermediate

All settings beside a policy apply as usual. They do override policy values. 
The order does not matter:

  SSLPolicy modern
  SSLProtocol SSLv3

is the same as

  SSLProtocol SSLv3
  SSLPolicy modern

When you define multiple policy uses in the same server, they are merged in the 
reverse order 
(or override each other in document order, e.g. last one wins):

  SSLPolicy modern
  SSLPolicy intermediate

will give you "intermediate" security settings, while

  SSLPolicy intermediate
  SSLPolicy modern

will give you "modern" ones.

You can override policies, so if someone wants to "hotfix" a policy, she can 
write:

<SSLPolicy modern>
  SSLPolicy modern
  SSLCipherSuite "VERYHOTNEWONE"
</SSLPolicy>

or you expand a policy:

<SSLPolicy modern-on>
  SSLPolicy modern
  SSLEngine on
</SSLPolicy>

I hope this looks attractive to you. All bugs are mine. Let me know what you 
think.

Cheers,

-Stefan

Attachment: ssl_policy_v2.diff
Description: Binary data

Reply via email to