Atomicorp

mikeshinn wrote:

your configuration does indeed break compatibility with some older browsers (all on Windows XP, some older Android and Java; nothing too worry about too much)

Yep. The ones it doesnt work with are probably OK for most users, but because some sites might want those, we wouldnt want to force this configuration on anyone.

but still does not force PFS for every client.

That configuration forces PFS for browsers that (1) support PFS and (2) if they support the ciphers that apache 2.2 supports that require PFS. If they dont, it will fall back to some very specific non-PFS ciphers when those two conditions are not true, but not all ciphers or protocols and because some of those ciphers are all those older browsers support, and they are BadCiphers(TM) they are disable - and those browsers dont work. This is the best you can do with apache 2.2. If you force PFS for everything, you'll lose a whole bunch of browsers that just dont support with the ciphers apache 2.2 supports.

SSLProtocol -ALL +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5:!RC4

Wouldn't it even be more secure to allow only TLS 1.2 in the following setup:

(I noticed that httpd-2.2.15-30.el6 refused to start with +TLSv1.2, although the documentation at http://httpd.apache.org/docs/2.2/mod/mo ... slprotocol seems to suggest that it is a valid value.)

Is it possible to control how ASL is overwriting the mod_ssl configuration, so that you can allow users to use their own configuration? Or perhaps even offering your suggestion as a configurable parameter in ASL?

mikeshinn wrote:Sure, just open a feature request. Right now we just change them to meet PCI requirements, which as you noted gets you an A- and still works with all the browsers out there.