summaryrefslogtreecommitdiffstats
path: root/docs/manual/mod
diff options
context:
space:
mode:
authorStefan Fritsch <sf@apache.org>2011-06-13 21:30:05 +0200
committerStefan Fritsch <sf@apache.org>2011-06-13 21:30:05 +0200
commit6572b94bc6cfb41463edd9dc9d6f85cf0f04aa57 (patch)
treeaf1a9f43911b58c017ef93a0ac99d69677541533 /docs/manual/mod
parentDisable AECDH ciphers in example config by using !aNULL (which includes (diff)
downloadapache2-6572b94bc6cfb41463edd9dc9d6f85cf0f04aa57.tar.xz
apache2-6572b94bc6cfb41463edd9dc9d6f85cf0f04aa57.zip
AFAICS, we don't have a default cipher suite but depend on openssl's default.
Document the fact that this default depends on the openssl version. Recommend !aNULL over !ADH, because the former also excludes !AECDH in openssl 1.0+ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1135241 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'docs/manual/mod')
-rw-r--r--docs/manual/mod/mod_ssl.xml7
1 files changed, 4 insertions, 3 deletions
diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index b86528d30d..43d3625909 100644
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -614,7 +614,7 @@ SSLProtocol all -SSLv2
<description>Cipher Suite available for negotiation in SSL
handshake</description>
<syntax>SSLCipherSuite <em>cipher-spec</em></syntax>
-<default>SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</default>
+<default>SSLCipherSuite DEFAULT (depends on OpenSSL version)</default>
<contextlist><context>server config</context>
<context>virtual host</context>
<context>directory</context>
@@ -711,9 +711,10 @@ prefixes are:</p>
<p>A simpler way to look at all of this is to use the ``<code>openssl ciphers
-v</code>'' command which provides a nice way to successively create the
correct <em>cipher-spec</em> string. The default <em>cipher-spec</em> string
-is ``<code>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code>'' which
+depends on the version of the OpenSSL libraries used. Let's suppose it is
+``<code>ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code>'' which
means the following: first, remove from consideration any ciphers that do not
-authenticate, i.e. for SSL only the Anonymous Diffie-Hellman ciphers. Next,
+authenticate, i.e. for SSL the Anonymous Diffie-Hellman ciphers. Next,
use ciphers using RC4 and RSA. Next include the high, medium and then the low
security ciphers. Finally <em>pull</em> all SSLv2 and export ciphers to the
end of the list.</p>