On Mon, Feb 19, 2018 at 10:42 AM, Stefan Eissing <stefan.eiss...@greenbytes.de> wrote: > After pondering your comments and questions a bit over the weekend, I decided > to > withdraw the backport proposal for 2.4.x. Instead, I will simplify SSLPolicy > in > trunk and propose a backport for the next release. > > My current thinking is to get rid of "<SSLPolicyDefine>" and just introduce > a fixed "SSLPolicy modern|intermediate|old" which is updated from the Mozilla > definitions of these terms (a script for that is already in modules/ssl). This > will only apply to the client facing SSL properties. > > "SSLPolicy" will then just act as a normal SSL configuration directive, that > sets a defined number of parameters. Those parameters will get updated in our > releases (and by distros if they want to update a LTS version with a more > secure > setting). > > If can be overridden by site admins, just like any other directive. The > configuration > > SSLProtocol all > SSLPolicy modern > > would just enable TLSv1.2 (and newer), while > > SSLPolicy modern > SSLProtocol +TLSv1.3 > > would override it.
Looks good to me. The all in one defined policy is interesting still, let's take the time to think more about it. It could possibly be implemented as macros too, no? Thanks, Yann.