On 2015-03-19 16:03:38 -0600, Bob Proulx wrote: > Vincent Lefevre wrote: > > Bob Proulx wrote: > > > The Debian default Apache2 configuration for ssl is in local-ssl and > > > it configures the self-signed so called "snakeoil" certificates. > > > > No, it is /etc/apache2/mods-available/ssl.conf, where you have the > > SSLProtocol line, which is the line that needs to be modified. > > No, (I will just turn your reply around) that entry is commented out.
No, it is not commented out. The default in unstable is: SSLProtocol all -SSLv3 And the default in wheezy is: SSLProtocol all -SSLv2 You can check in apache2.2-common 2.2.22-13+deb7u4. > It isn't an *active* part of the Debian configuration. The local > admin must actually do something. Changing one commented out entry to > another commented out entry is still a commented out entry. Even if it were commented out by default, there could be two solutions: 1. The configuration tool could uncomment the entry and change it. 2. The default (i.e. hardcoded value) could be changed, if possible. > (Although it should wake up the admin that they need to merge files if > they modified it. But I all too often see local admins simply keep > their previous version of files without merging. Look at all of the > people with trouble after the sudo secure_path change for examples.) Note that I suggested the change in the case the file was *not* modified. The admin I was mentioning wanted to keep Debian's default (i.e. without any local change). > The /etc/apache2/mods-available/ssl.conf doesn't need to be modifed by > the local admin because the cipher list there is commented out. No, it is not commented out. ./etc/apache2/mods-available/ssl.conf in apache2.2-common_2.2.22-13+deb7u4_amd64.deb contains: SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150320124513.ga5...@ypig.lip.ens-lyon.fr
