[PATCH] update default ssl_ciphers value
mike.maccana at gmail.com
Tue Aug 4 23:11:39 UTC 2015
I mentioned in my last email message that I was investigating discrepancies
between your results and mine: I've since confirmed I'd used ssl_dhparam
from Mozilla's preferred config and not included this in the actual patch.
I apologise Thomas. Thanks for including your own handshake results as it's
given me something to compare against and helped move the discussion
With the following setup:
- Adding dh_param
- nginx hg revision 6217
- 'HIGH:!aNULL:!MD5' as defined in openssl 1.0.1e (too long to paste)
I can get an A out of the box - see https://archive.is/fEcdv.
I believe this means we're in sync: provided the user keeps openssl up to
date, adding dh_param should fix the ssllabs warnings.
I was trying to save nginx users some additional work, and not correctly
identifying the parameter that resolved the warning was my mistake.
Would nginx accept a patch to include dh_params in the example config?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nginx-devel