On Thu, Mar 29, 2018 at 3:16 AM, Stefan Eissing < [email protected]> wrote: >...
> That is the intention behind "SSLPolicy modern|intermediate|old" that > configures the TLS stack according to the Mozilla server-side-tls > recommendations. So, one does not have to mess with many directives to have > a site with an "A" SSL Labs rating. > > Besides, except for data center setups, Apache will be used *only* with > https: (and http: redirects to https:) very, very soon. That shifts the > average expertise of an admin setting up a https: site. > > Back to TLSv1.3: > > I do not like to invent new config directives for a new TLS version > either. The protocol on/off switch is now in "SSLProtocol" and that's where > it should be. AFAIK, it's only the cipher list that needs special treatment > (if one wants to override defaults or what SSLPolicy will do for it, once a > recommendation is out). > Gotcha. > > So, looking at "SSLCipherSuite". It basically passes the string to the > *SSL library. The manual page makes a big explanation and tables of > ciphers, but the lists repeats basically how OpenSSL cipher strings work. > It would be better to scrap that and replace it with a link to > https://www.openssl.org/docs/man1.0.2/apps/ciphers.html, now that openssl > has nicer documentation) > > Along the gist of your proposal, I think I'll expand "SSLCipherSuite" to > take more than 1 argument and look for optional prefixes to the suite > strings given, so one could do > Oooh! Yes. Looks great. +1 >... Cheers, -g
