[PATCH] update default ssl_ciphers value
mike.maccana at gmail.com
Tue Aug 4 13:52:58 UTC 2015
> Examining their implementation, and ordering them is the task of security
Indeed. The ciphersuite ordering is directly from the Mozilla Server Side
TLS project. https://mozilla.github.io/server-side-tls/ssl-config-generator/
My understanding is OpenSSLs inbuilt ciphersuite groups (per
https://www.openssl.org/docs/apps/ciphers.html) aren't sufficient to
implement Mozilla's rationale, see
hence why Mozilla specify the ciphersuites ordering explicitly.
On Tue, Aug 4, 2015 at 1:54 PM, W-Mark Kubacki <wmark+nginx at hurrikane.de>
> Do not specifiy cipher suites, one by one, by name. That's dangerous.
> OpenSSL knows groups!
> Examples for groups:
> - HIGH
> - TLSv1.2
> … and matching:
> - HIGH+kEECDH
> - HIGH+kEECDH:HIGH+kEDH:-3DES
> Examining their implementation, and ordering them is the task of
> security engineers and/or best delegated to the authors of TLS
> Imagine a cipher suite "falls out of fashion", or an implementation
> turns out to be weaker than expected, or new ones get implemented
> (hello CHACHA20! see you TLSv1.3!). You don't want to go through those
> lists (you shouldn't have used) again nor should you expect that a
> regular user will do this (most didn't even care enough to change the
> default DHparam).
> 2015-08-04 0:53 GMT+02:00 Mike MacCana <mike.maccana at gmail.com>:
> > Thanks for the quick response again Maxim. You make some excellent
> > 1. Best practices for cipher lists change over time.
> > 2. ssl_prefer_server_ciphers is off by default
> > For now: how about:
> > - We use up to date values for NGX_DEFAULT_CIPHERS
> > - We turn on ssl_prefer_server_ciphers by default - having the server
> > control the negotiation is recommended in every configuration guide
> > - We add an up to date ssl_ciphers example to the default config file
> > - Above the example, we add a comment with the point you've made above:
> > # Security note: best practices for ssl_ciphers frequently change over
> > # Check https://mozilla.github.io/server-side-tls/ssl-config-generator
> > more recent settings
> > # ssl_ciphers
> > This would resolve the SSL Labs and Chrome warnings that currently show
> > with nginx, but make sure people configuring nginx are aware that they
> > to keep up to date, and shows them where they can get a more recent
> > If the user is lazy and doesn't follow ssl happenings, they're still
> > out of the box. And actually giving them a URL to check might make them
> be a
> > little more security conscious.
> > How does that sound?
> > _______________________________________________
> > nginx-devel mailing list
> > nginx-devel at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx-devel
> nginx-devel mailing list
> nginx-devel at nginx.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nginx-devel