Why can't get the 'best config for security' be default out of the box on nginx and apache httpd? That's the only way we're actually going to have a secure web, ain't it?
There's been a lot of recent flux in what the consensus on "best config for security" even is in the past six months. We went through a phase where RC4 was the recommended cipher, now we're mostly coming around to it being a bad idea, for instance, and that's still a thing in progress rather than totally done.
Seems like someone should invent a way to easily get automatic updates to your ssl config in apache and/or nginx.
I know I'm not the only one with half a dozen, a dozen, or dozens of web servers I am responsible for -- who realistically isn't going to keep track of what the current consensus is and go updating the ssl configuration even every six months.