SSL default changes?

Maxim Dounin mdounin at
Mon Mar 11 10:53:24 UTC 2013


On Sun, Mar 10, 2013 at 09:48:47PM -0700, Grant wrote:

> It looks like these changes from default are required for SSL session
> resumption and to mitigate the BEAST SSL vulnerability:
> ssl_session_cache shared:SSL:10m;
> ssl_ciphers RC4:HIGH:!aNULL:!MD5;
> ssl_prefer_server_ciphers on;
> Should the defaults be changed to these?

The BEAST attack could be mitigated by various means, including 
switching to TLS 1.1/1.2 (you probably do not want to due to 
compatibility reasons) and/or fixing it on a client side (which is 
considered to be right solution and already implemented by all 
modern browsers).

Use of the RC4 cipher is more a workaround than a permanent 
solution, and hence there are no plans to make it the default.

Maxim Dounin

More information about the nginx mailing list