From 98b9ff5728ac1600963f9558c4cd7395bd2e7f94 Mon Sep 17 00:00:00 2001
From: Rainer Jung <rjung@apache.org>
Date: Wed, 21 Jul 2010 09:54:59 +0000
Subject: [PATCH] Update SSL cipher suite and add example for
 SSLHonorCipherOrder.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@966160 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                           |  3 +++
 docs/conf/extra/httpd-ssl.conf.in | 21 ++++++++++++---------
 2 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/CHANGES b/CHANGES
index be77fc5be9..8cf626986b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -39,6 +39,9 @@ Changes with Apache 2.3.7
   *) HTTP protocol filter: fix handling of longer chunk extensions
      PR 49474 [<tee.bee gmx.de>]
 
+  *) Update SSL cipher suite and add example for SSLHonorCipherOrder.
+     [Lars Eilebrecht, Rainer Jung]
+
 Changes with Apache 2.3.6
 
   *) SECURITY: CVE-2009-3555 (cve.mitre.org)
diff --git a/docs/conf/extra/httpd-ssl.conf.in b/docs/conf/extra/httpd-ssl.conf.in
index 59781b9c11..f8e7281004 100644
--- a/docs/conf/extra/httpd-ssl.conf.in
+++ b/docs/conf/extra/httpd-ssl.conf.in
@@ -45,9 +45,20 @@ Listen @@SSLPort@@
 ##  the main server and all SSL-enabled virtual hosts.
 ##
 
+#   SSL Cipher Suite:
+#   List the ciphers that the client is permitted to negotiate.
+#   See the mod_ssl documentation for a complete list.
+SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
+
+#   SSL Cipher Honor Order:
+#   On a busy HTTPS server you may want to enable this directive
+#   to force clients to use one of the faster ciphers like RC4-SHA
+#   or AES128-SHA in the order defined by SSLCipherSuite.
+#SSLHonorCipherOrder on 
+
 #   Pass Phrase Dialog:
 #   Configure the pass phrase gathering process.
-#   The filtering dialog program (`builtin' is a internal
+#   The filtering dialog program (`builtin' is an internal
 #   terminal dialog) has to provide the pass phrase on stdout.
 SSLPassPhraseDialog  builtin
 
@@ -75,14 +86,6 @@ TransferLog "@exp_logfiledir@/access_log"
 #   Enable/Disable SSL for this virtual host.
 SSLEngine on
 
-#   SSL Cipher Suite:
-#   List the ciphers that the client is permitted to negotiate.
-#   See the mod_ssl documentation for a complete list.
-#   Recent OpenSSL snapshots include Elliptic Curve Cryptograhpy (ECC) 
-#   cipher suites (see RFC 4492) as part of "ALL". Edit this line
-#   if you need to disable any of those ciphers.
-SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-
 #   Server Certificate:
 #   Point SSLCertificateFile at a PEM encoded certificate.  If
 #   the certificate is encrypted, then you will be prompted for a
-- 
2.40.0