[PATCH] Disable Anonymous ECDH ciphersuites by default
rob.stradling at comodo.com
Tue Jun 14 12:58:21 MSD 2011
Hi. NGX_DEFAULT_CIPHERS specifies !ADH to exclude the Anonymous DH
ciphersuites. With OpenSSL-0.x, this has the effect of disabling all
ciphersuites that offer no authentication. However, OpenSSL-1.x adds support
for Anonymous ECDH ciphersuites, and these are not disabled by !ADH.
!aNULL is the appropriate cipher string for disabling all anonymous
ciphersuites.  observes that anonymous ciphersuites 'are vulnerable to a
"man in the middle'' attack and so their use is normally discouraged.'
Trivial patch attached.
Apache httpd just committed a patch for the same issue .
Senior Research & Development Scientist
COMODO - Creating Trust Online
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1114 bytes
Desc: not available
More information about the nginx-devel