From c0bdfa464b7c8b7d202b7a7ab31bc0e4b06a33fc Mon Sep 17 00:00:00 2001
From: Joe Orton <jorton@redhat.com>
Date: Jun 20 2014 09:54:36 +0000
Subject: mod_ssl: don't use the default OpenSSL cipher suite in ssl.conf (#1109119)


Resolves: rhbz#1109119

---

diff --git a/httpd.spec b/httpd.spec
index b14d656..d6acac2 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -14,7 +14,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.9
-Release: 4%{?dist}
+Release: 5%{?dist}
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@@ -624,6 +624,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Fri Jun 20 2014 Joe Orton <jorton@redhat.com> - 2.4.9-5
+- mod_ssl: don't use the default OpenSSL cipher suite in ssl.conf (#1109119)
+
 * Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.9-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
 
diff --git a/ssl.conf b/ssl.conf
index ff60307..5c9b652 100644
--- a/ssl.conf
+++ b/ssl.conf
@@ -75,9 +75,11 @@ SSLEngine on
 SSLProtocol all -SSLv2
 
 #   SSL Cipher Suite:
-#   List the ciphers that the client is permitted to negotiate.
-#   See the mod_ssl documentation for a complete list.
-SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_ssl documentation for a complete list.
+# By leaving this directive commented out, the system-wide OpenSSL
+# default is used.  See update-crypto-policies(8) for more details.
+#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
 
 #   Speed-optimized SSL Cipher configuration:
 #   If speed is your main concern (on busy HTTPS servers e.g.),