Disable SSLHonorCipherOrder

[mueller-ma]

It's recommended by https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1k&guideline=5.7 to disable SSLHonorCipherOrder.

[github-actions]

This pr has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

[mueller-ma]

The PR is still required to match the recommendations by Mozilla.

[ravik694]

It's recommended by https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1k&guideline=5.7 to disable SSLHonorCipherOrder.

According to https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility:

Cipher preference: client chooses
[...]

• Rationale:
  • All cipher suites are forward secret and authenticated
  • The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES

The Modern config is only meant for TLS versions/ciphers where all ciphers are strong/support forward secrecy. Setting a hardcoded SSLHonorCipherOrder Off in this role could actually be less secure if the TLS versions/ciphers chosen are not all strong. The default config for the role does not enforce TLS versions/ciphers that are all strong.

[mueller-ma]

I can make it configurable, but IMO it should be "secure by default". The TLS versions and ciphers in https://github.com/geerlingguy/ansible-role-apache/blob/master/defaults/main.yml should be updated as well, but in a different PR.

[github-actions]

This pr has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

[mueller-ma]

The PR is still required to match the recommendations by Mozilla.