Here is my proposal for more semantic sugar. It defines 3 new SSL* config directives:
- <SSLPolicy name> to define a set of SSL* directives under a name - SSLPolicy merge the non-proxy parts of the policy into the current server config. local directives will override - SSLProxyPolicy merge the proxy parts of the policy into the current server config. local directives will override There are atm 3 predefined policies: modern, intermediate, old (from https://wiki.mozilla.org/Security/Server_Side_TLS) In order to apply them on TLS connections to the client, you configure SSLPolicy modern in your server config or in a specific vhost. To affect the backend proxy connections, you may add: SSLProxyPolicy intermediate All settings beside a policy apply as usual. They do override policy values. The order does not matter: SSLPolicy modern SSLProtocol SSLv3 is the same as SSLProtocol SSLv3 SSLPolicy modern When you define multiple policy uses in the same server, they are merged in the reverse order (or override each other in document order, e.g. last one wins): SSLPolicy modern SSLPolicy intermediate will give you "intermediate" security settings, while SSLPolicy intermediate SSLPolicy modern will give you "modern" ones. You can override policies, so if someone wants to "hotfix" a policy, she can write: <SSLPolicy modern> SSLPolicy modern SSLCipherSuite "VERYHOTNEWONE" </SSLPolicy> or you expand a policy: <SSLPolicy modern-on> SSLPolicy modern SSLEngine on </SSLPolicy> I hope this looks attractive to you. All bugs are mine. Let me know what you think. Cheers, -Stefan
ssl_policy_v2.diff
Description: Binary data
