The NSSCipherSuite option of mod_nss accepts OpenSSL-styled cipherstrings. It was found that the parsing of such cipherstrings is flawed. If this option is used to disable insecure ciphersuites using the common "!" syntax, e.g.: NSSCipherSuite !eNULL:!aNULL:AESGCM+aRSA:ECDH+aRSA it will actually enable those insecure ciphersuites. Acknowledgements: This issue was discovered Hubert Kario of Red Hat.
Created mod_nss tracking bugs for this issue: Affects: fedora-all [bug 1263070]
mod_nss-1.0.12-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
This issue was fixed upstream via the following commit: https://git.fedorahosted.org/cgit/mod_nss.git/commit/?id=34e1ccecb4a7d5054dba2f92b403af9b6ae1e110