svn commit: r1795359 - /httpd/httpd/branches/2.4.x/docs/conf/extra/httpd-ssl.conf.in

[wr...@apache.org]

Author: wrowe
Date: Tue May 16 19:33:45 2017
New Revision: 1795359

URL: http://svn.apache.org/viewvc?rev=1795359&view=rev
Log:
Remove 3DES by default for users of older crypto librarys; the cipher
has been reclassified in current OpenSSL releases as WEAK due to 112
or fewer bits of remaining cipher strength, while the Sweet32 disclosure
extended the criticism of RC4 on to 3DES. (IDEA, which potentially has the
same issue, is never enabled by default in OpenSSL, due to patent concerns.)

This commit does not change default httpd behavior, but alters the suggested
behavior of newly provisioned httpd servers. Where adopted, XP with IE8 will
no longer handshake with mod_ssl (previously, XP with IE6 would not handshake.)
The same net effect occurs where OpenSSL is updated to 1.1.0.

Modified:
    httpd/httpd/branches/2.4.x/docs/conf/extra/httpd-ssl.conf.in

Modified: httpd/httpd/branches/2.4.x/docs/conf/extra/httpd-ssl.conf.in
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/conf/extra/httpd-ssl.conf.in?rev=1795359&r1=1795358&r2=1795359&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/conf/extra/httpd-ssl.conf.in (original)
+++ httpd/httpd/branches/2.4.x/docs/conf/extra/httpd-ssl.conf.in Tue May 16 19:33:45 2017
@@ -49,8 +49,8 @@ Listen @@SSLPort@@
 #   ensure these follow appropriate best practices for this deployment.
 #   httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
 #   while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
-SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
-SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
+SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
+SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
 
 #  By the end of 2016, only TLSv1.2 ciphers should remain in use.
 #  Older ciphers should be disallowed as soon as possible, while the