Done in r1827992. Cheers, Stefan
> Am 29.03.2018 um 12:56 schrieb Greg Stein <[email protected]>: > > On Thu, Mar 29, 2018 at 3:16 AM, Stefan Eissing > <[email protected]> wrote: > >... > That is the intention behind "SSLPolicy modern|intermediate|old" that > configures the TLS stack according to the Mozilla server-side-tls > recommendations. So, one does not have to mess with many directives to have a > site with an "A" SSL Labs rating. > > Besides, except for data center setups, Apache will be used *only* with > https: (and http: redirects to https:) very, very soon. That shifts the > average expertise of an admin setting up a https: site. > > Back to TLSv1.3: > > I do not like to invent new config directives for a new TLS version either. > The protocol on/off switch is now in "SSLProtocol" and that's where it should > be. AFAIK, it's only the cipher list that needs special treatment (if one > wants to override defaults or what SSLPolicy will do for it, once a > recommendation is out). > > Gotcha. > > > So, looking at "SSLCipherSuite". It basically passes the string to the *SSL > library. The manual page makes a big explanation and tables of ciphers, but > the lists repeats basically how OpenSSL cipher strings work. It would be > better to scrap that and replace it with a link to > https://www.openssl.org/docs/man1.0.2/apps/ciphers.html, now that openssl has > nicer documentation) > > Along the gist of your proposal, I think I'll expand "SSLCipherSuite" to take > more than 1 argument and look for optional prefixes to the suite strings > given, so one could do > > Oooh! Yes. Looks great. > > +1 > > >... > > Cheers, > -g >
