Hi everyone,
regarding the latest apache patches (sorry, I will discuss several patches in one mail):
"disable obsolete and unused ciphers in Apache SSL configuration" This looks good to me, but why don't we use a standard configuration, like the one that the Mozilla SSL Configuration Generator outputs (or maybe build on that)? https://mozilla.github.io/server-side-tls/ssl-config-generator/
It could make sense to still support DHE parameters, since they provide PFS - in contrast to the "normal" AES128-GCM-SHA256 parameters. We could pre-generate a 2048 bit DH param and use that, if the user is not re-generating it. This is still a lot better than using the standard Apache DH params. I also discovered while searching for standard DH params that there exist other firewall distributions that do it exactly this way.
"add ECDSA certificate and key files to Apache configuration" I think that if we add "SSLCertificateFile" twice to the configuration, the first one will just be overwritten. So in this case, the server.crt|key are not used at all.
Another word to the "Require" statements from Apache. As you already noticed, they are ORed, if they are not in a RequireAll|Any|None block. To make this behavior transparent, I would suggest to always use the RequireX block and don't rely on the default (RequireAny->OR), if possible. This is just a note to everyone that updates/creates access control within the Apache configuration.
Best regards, Wolfgang