<div dir="ltr">Maxim I apologise if I've offended you or not understood something you wrote. My methodology was as follows: <div><br></div><div> - Install nginx</div><div> - Enable ssl</div><div> - Run the SSL Labs scan and a current version of Chrome</div><div> - Provide a patch that fixes the errors reported by those tools</div><div><br></div><div>Do you believe the provided SSL Labs report or Chrome is in error, or that something is wrong with the testing methodology above?</div><div><br></div><div><br></div><div><br></div><div><br></div><div> <br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Aug 4, 2015 at 12:10 AM, Maxim Dounin <span dir="ltr"><<a href="mailto:mdounin@mdounin.ru" target="_blank">mdounin@mdounin.ru</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello!<br>
<div><div class="h5"><br>
On Mon, Aug 03, 2015 at 11:53:08PM +0100, Mike MacCana wrote:<br>
<br>
> Thanks for the quick response again Maxim. You make some excellent points:<br>
><br>
> 1. Best practices for cipher lists change over time.<br>
> 2. ssl_prefer_server_ciphers is off by default<br>
><br>
> For now: how about:<br>
> - We use up to date values for NGX_DEFAULT_CIPHERS<br>
> - We turn on ssl_prefer_server_ciphers by default - having the server<br>
> control the negotiation is recommended in every configuration guide<br>
> - We add an up to date ssl_ciphers example to the default config file<br>
> - Above the example, we add a comment with the point you've made above:<br>
><br>
> # Security note: best practices for ssl_ciphers frequently change over time.<br>
> # Check <a href="https://mozilla.github.io/server-side-tls/ssl-config-generator" rel="noreferrer" target="_blank">https://mozilla.github.io/server-side-tls/ssl-config-generator</a> for<br>
> more recent settings<br>
> # ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:<br>
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:<br>
> DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-<br>
> RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-<br>
> SHA384:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:<br>
> HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA<br>
><br>
> This would resolve the SSL Labs and Chrome warnings that currently show up<br>
> with nginx, but make sure people configuring nginx are aware that they need<br>
> to keep up to date, and shows them where they can get a more recent config.<br>
><br>
> If the user is lazy and doesn't follow ssl happenings, they're still better<br>
> out of the box. And actually giving them a URL to check might make them be<br>
> a little more security conscious.<br>
><br>
> How does that sound?<br>
<br>
</div></div>The number of false claims in your messages and the fact that you<br>
are not reading what I already wrote makes this discussion<br>
pointless, sorry.<br>
<div class="HOEnZb"><div class="h5"><br>
--<br>
Maxim Dounin<br>
<a href="http://nginx.org/" rel="noreferrer" target="_blank">http://nginx.org/</a><br>
<br>
_______________________________________________<br>
nginx-devel mailing list<br>
<a href="mailto:nginx-devel@nginx.org">nginx-devel@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx-devel" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx-devel</a><br>
</div></div></blockquote></div><br></div>