Commit 12635616 authored by William A. Rowe Jr's avatar William A. Rowe Jr
Browse files

Following docs/ conventions, using C-T-R to correct unacceptable drift

between 2.4.x and 2.2.x, notably r966160 which was advertised as a cipher
list update, but was in fact a major scope change to global scope.

Backports: r966160
Submitted by: rjung



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1677721 13f79535-47bb-0310-9956-ffa450edef68
parent 87f16cef
Loading
Loading
Loading
Loading
+18 −18
Original line number Diff line number Diff line
@@ -49,6 +49,24 @@ Listen @@SSLPort@@
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

#   Speed-optimized SSL Cipher configuration:
#   If speed is your main concern (on busy HTTPS servers e.g.),
#   you might want to force clients to specific, performance
#   optimized ciphers. In this case, prepend those ciphers
#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
#   (as in the example below), most connections will no longer
#   have perfect forward secrecy - if the server's key is
#   compromised, captures of past or future traffic must be
#   considered compromised, too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
#SSLHonorCipherOrder on 
 
#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
@@ -89,24 +107,6 @@ SSLEngine on
#   connect with. Disable SSLv2 by default (cf. RFC 6176).
SSLProtocol all -SSLv2

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

#   Speed-optimized SSL Cipher configuration:
#   If speed is your main concern (on busy HTTPS servers e.g.),
#   you might want to force clients to specific, performance
#   optimized ciphers. In this case, prepend those ciphers
#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
#   (as in the example below), most connections will no longer
#   have perfect forward secrecy - if the server's key is
#   compromised, captures of past or future traffic must be
#   considered compromised, too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
#SSLHonorCipherOrder on 
 
#   Server Certificate:
#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a