Created attachment 27152 [details] Disable AECDH ciphersuites by default The OpenSSL-1.x CHANGES file says that 'the ECC ciphersuites are no longer excluded from "ALL" and "DEFAULT".' The default SSLCipherSuite directive (docs/conf/extra/httpd-ssl.conf.in)... SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL ...enables ALL, and then disables anonymous DH but not anonymous ECDH. I presume that the intended behaviour is that all anonymous ciphersuites should be disabled by default, so I think ":!AECDH" should be added after ":!ADH". Trivial patch attached.
Fixed in trunk in r1135234 by using !aNULL. Updated docs in r1135241.
Thanks Stefan. I agree that !aNULL is more appropriate than !ADH:!AECDH.
fixed in 2.4.1 and 2.2.22