On Thu, Mar 29, 2018 at 10:16 AM, Stefan Eissing <[email protected]> wrote: > > Along the gist of your proposal, I think I'll expand "SSLCipherSuite" > to take more than 1 argument and look for optional prefixes to the > suite strings given, so one could do > > # as before, applies to all TLS protocols <=TLSv1.2 SSLCipherSuite > XXX:YY:-AASSD:DSDS > > # Set ciphers for TLSv1.3, does not replace the previous line > SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 > > So, the directive becomes: > > SSLCipherSuite [ ProtocolClass ] Cipher-String > > where ProtocolClass is: > SSL (default) all TLS/SSL Protocols <= TLSv1.2 > TLSv1.3 TLS version 1.3
Looks good to me. I wonder if it's not applicable to TLSv1.2 already, there is a number of ciphers available to 1.2 only (with openssl < 1.1). Thanks, Yann.
