It has been a while since I wrote part two of the crypto wars. Luckily Peter Mosmans has backported ChaCha20 and Poly1305 ciphers of OpenSSL 1.1.0 to 1.0.2 on github so that at least Chrome browser can use 256 bit encryption over HTTP/2
However on the httpd dev mailing list there are a few people already talking about making changes to APR and httpd so that it will compile with OpenSSL 1.1.0
The config for that is:
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 SSLCompression Off SSLHonorCipherOrder On SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA
Why 256 bit? 128 bit hasn’t been cracked yet. The answer is that the collection of data and the data will decrypted when the time has come with a new generation of computers.