For clarity, revert 1679429

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1679430 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 73a9def457a20b1f1c453627b7b482f98af4ede9..10152e30446fa4efd13f95450f0a2379abe8c322 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,10 +1,6 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.30
 
-  *) SSLProtocol and SSLCipherSuite recommendations in the example/default
-     conf/extra/httpd-ssl.conf file are now global in scope, affecting all
-     VirtualHosts (matching 2.4 default configuration). [William Rowe]
-
   *) Turn static function get_server_name_for_url() into public
      ap_get_server_name_for_url() and use it where appropriate. This
      fixes mod_rewrite generating invalid URLs for redirects to IPv6

diff --git a/docs/conf/extra/httpd-ssl.conf.in b/docs/conf/extra/httpd-ssl.conf.in
index df71ec9d8c325a62885400d821fda7c931eb094a..0586d1e200c1ddaab38d917e9594be67bbda32a5 100644 (file)
--- a/docs/conf/extra/httpd-ssl.conf.in
+++ b/docs/conf/extra/httpd-ssl.conf.in
@@ -50,39 +50,28 @@ AddType application/x-x509-ca-cert .crt
 AddType application/x-pkcs7-crl    .crl
 
 #   SSL Cipher Suite:
-#   List the ciphers that the client is permitted to negotiate,
-#   and that httpd will negotiate as the client of a proxied server.
-#   See the OpenSSL documentation for a complete list of ciphers, and
-#   ensure these follow appropriate best practices for this deployment.
-SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
-SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
-
-#  By the end of 2016, only TLSv1.2 ciphers should remain in use.
-#  Older ciphers should be disallowed as soon as possible, while the
-#  kRSA ciphers do not offer forward secrecy.  These changes inhibit
-#  older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy
-#  non-browser tooling) from successfully connecting.  
-#
-#  To restrict mod_ssl to use only TLSv1.2 ciphers, and disable
-#  those protocols which do not support forward secrecy, replace
-#  the SSLCipherSuite and SSLProxyCipherSuite directives above with
-#  the following two directives, as soon as practical.
-# SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
-# SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
-
-#   User agents such as web browsers are not configured for the user's
-#   own preference of either security or performance, therefore this
-#   must be the prerogative of the web server administrator who manages
-#   cpu load versus confidentiality, so enforce the server's cipher order.
-SSLHonorCipherOrder on 
+#   List the ciphers that the client is permitted to negotiate.
+#   See the mod_ssl documentation for a complete list.
+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
 
+#   Speed-optimized SSL Cipher configuration:
+#   If speed is your main concern (on busy HTTPS servers e.g.),
+#   you might want to force clients to specific, performance
+#   optimized ciphers. In this case, prepend those ciphers
+#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
+#   (as in the example below), most connections will no longer
+#   have perfect forward secrecy - if the server's key is
+#   compromised, captures of past or future traffic must be
+#   considered compromised, too.
+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+#SSLHonorCipherOrder on 
+ 
 #   SSL Protocol support:
-#   List the protocol versions which clients are allowed to connect with.
-#   Disable SSLv2 and SSLv3 by default (cf. RFC 7525 3.1.1).  TLSv1 (1.0)
-#   should be disabled as quickly as practical.  By the end of 2016, only
-#   the TLSv1.2 protocol or later should remain in use.
+#   List the protocol versions which clients are allowed to
+#   connect with. Disable SSLv2 (cf. RFC 6176) and SSLv3
+#   (cf. RFC 7525 and CVE 2014-3566).
 SSLProtocol all -SSLv2 -SSLv3
-SSLProxyProtocol all -SSLv2 -SSLv3
 
 #   Pass Phrase Dialog:
 #   Configure the pass phrase gathering process.