Following docs/ conventions, using C-T-R to correct unacceptable drift

between 2.4.x and 2.2.x, notably r966160 which was advertised as a cipher
list update, but was in fact a major scope change to global scope.

Backports: r966160
Submitted by: rjung

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1677721 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/docs/conf/extra/httpd-ssl.conf.in b/docs/conf/extra/httpd-ssl.conf.in
index ccd0770b03c6e3b11d6c2935cc15ef824a6b9545..2ef2ab0be5bee1d4c722b704d43c17c8a86ee6b9 100644 (file)
--- a/docs/conf/extra/httpd-ssl.conf.in
+++ b/docs/conf/extra/httpd-ssl.conf.in
@@ -49,6 +49,24 @@ Listen @@SSLPort@@
 AddType application/x-x509-ca-cert .crt
 AddType application/x-pkcs7-crl    .crl
 
+#   SSL Cipher Suite:
+#   List the ciphers that the client is permitted to negotiate.
+#   See the mod_ssl documentation for a complete list.
+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+
+#   Speed-optimized SSL Cipher configuration:
+#   If speed is your main concern (on busy HTTPS servers e.g.),
+#   you might want to force clients to specific, performance
+#   optimized ciphers. In this case, prepend those ciphers
+#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
+#   (as in the example below), most connections will no longer
+#   have perfect forward secrecy - if the server's key is
+#   compromised, captures of past or future traffic must be
+#   considered compromised, too.
+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+#SSLHonorCipherOrder on 
+ 
 #   Pass Phrase Dialog:
 #   Configure the pass phrase gathering process.
 #   The filtering dialog program (`builtin' is a internal
@@ -89,24 +107,6 @@ SSLEngine on
 #   connect with. Disable SSLv2 by default (cf. RFC 6176).
 SSLProtocol all -SSLv2
 
-#   SSL Cipher Suite:
-#   List the ciphers that the client is permitted to negotiate.
-#   See the mod_ssl documentation for a complete list.
-SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
-
-#   Speed-optimized SSL Cipher configuration:
-#   If speed is your main concern (on busy HTTPS servers e.g.),
-#   you might want to force clients to specific, performance
-#   optimized ciphers. In this case, prepend those ciphers
-#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
-#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
-#   (as in the example below), most connections will no longer
-#   have perfect forward secrecy - if the server's key is
-#   compromised, captures of past or future traffic must be
-#   considered compromised, too.
-#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
-#SSLHonorCipherOrder on 
- 
 #   Server Certificate:
 #   Point SSLCertificateFile at a PEM encoded certificate.  If
 #   the certificate is encrypted, then you will be prompted for a