-
Notifications
You must be signed in to change notification settings - Fork 101
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Apache configuration #145
base: master
Are you sure you want to change the base?
Conversation
Hello, What is the rationale of this change? Why deviate from the cipher string recommended by the authors and used throughout this guide (see section 3.2.3. Recommended cipher suites)? |
What this does is essentially
I think 1. is interesting, and there should be some general discussion in the text about session tickets (and a note for apache in particular. For 2. this is not a good idea to just change it here in the config file. Rather, for this please engage in a disucssion on the ACH mailing list. For 3. we maybe need a general disclaimer that, while we understand the merits of the Mozilla cipher generator and such, this is not the place to just dump the results of it… =-=-=-=-= @th-certbund You indicated that this was tested with a recent apache on Debian 9.
|
@ignisf: |
@th-certbund That is true per se. Have you looked at Section 3.2.3 "Recommended cipher suites" in the guide? It explains the two cipher combos recommended and why people might want the more compatible "Ciphersuite B". Note that all examples in the repository use the B variant. It is intended that people opting for the A variant (namely |
I believe Thomas just (rightfully so!) started the foundations for the cipher string discussion of the version 2.0 of the better crypto document.
:)
… On 17 Jul 2018, at 15:08, Thomas Hungenberg ***@***.***> wrote:
@ignisf:
The old cipher list includes "+SSLv3" while it should be disabled.
CAMELLIA is not supported by web browsers like Firefox.
The list should start with strong/fast ciphers widely supported by web browsers today (like CHACHA20-POLY1305) as highest priority if SSLHonorCipherOrder is used.
etc.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
@aaronkaplan ok, great. This probably means fixing the suites, right? |
The problem might be that we get a myriad of different suites amongst all the different config files, at which point they don't serve any good purpose anymore :/ |
On 17 Jul 2018, at 15:20, Tobias Pape ***@***.***> wrote:
@aaronkaplan ok, great. This probably means fixing the suites, right?
correct, we have one place for the definitions of the cipher suites.
But, I agree with thomas, that we need to update them.
It's way about time...
…
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Why is this PR not being merged? |
No description provided.