Mark, On 8/1/14, 3:48 PM, Mark Thomas wrote: > On 01/08/2014 13:57, Rémy Maucherat wrote: >> Well, it can be disabled easily by reverting back to the old default in >> the endpoint. Sorry for all the defects, the code that was submitted was >> supposed to be fine ;) > > Thanks. I appreciate that. > >> If you think the feature is too complex and doesn't provide enough benefit, >> it can also be removed altogether. > > I'm still on the fence. I've removed the system property part as that > was changing the meaning of some aliases and that might cause a few > surprises. > > On balance I like the idea of the feature and having spent this week > getting it into shape I'm reluctant to just delete it. > > In terms of ensuring correct behaviour, we now have unit tests that > demonstrate that all the individual aliases are correct. Next I want to > test some more complex expressions to check the operators all behave as > expected.
Here's one you can try on for size: !aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:ECDHE:ECDH:DHE:AES256-GCM-SHA384:AES128-GCM-SHA256:+RC4:HIGH:MEDIUM I'm sure you can find more by googling for "httpd recommended CipherSuite" and see what kinds of crazy things people have been recommending to adjust things to get the "perfect" set of ciphers in whatever order ;) -chris
signature.asc
Description: OpenPGP digital signature
