[PATCH] Proxy: added the "proxy_ssl_ciphers" directive.

Piotr Sikora piotr at cloudflare.com
Mon Sep 23 23:16:30 UTC 2013


Hi Maxim,

>> This modifies current behaviour, and only allows to use
>> HIGH:!aNULL:!MD5 chipers by default.  Are there any specific
>> reasons to?
>>
>> The "!aNULL" looks especially wierd, as we don't check peers
>> certificates anyway.
>
> (...)
>
> In that case, I'd probably stick with "DEFAULT" (updated patch will
> follow)... Just keep in mind that nginx compiled against OpenSSL-1.0.1
> will be sending ClientHello that's 316 bytes in size and will have
> issue with broken SSL servers... Whether or not that's something that
> nginx should worry about it's another matter, but just to give you
> some perspective, last time I checked it was ~0.15% of servers that
> didn't like big ClientHello messages.

Forgot to mention - "DEFAULT" is the value OpenSSL uses when you don't
specify cipher list yourself (i.e. current behavior) and it's defined
as "ALL:!aNULL:!eNULL", which means that "!aNULL" is there already.

Best regards,
Piotr Sikora



More information about the nginx-devel mailing list