HTTP/2 without forward secrecy (Diffie-Hellman)

B.R. reallfqq-nginx at
Tue Aug 16 13:55:13 UTC 2016

On Mon, Aug 15, 2016 at 3:04 PM, Lukas Tribus <luky-37 at> wrote:

> > For that I need to disable forward secrecy (since it is only a test
> > environment security is not an issue)
> >
> > So I changed the "ssl_ciphers" in my /sites-enabled/default file from:
> >
> > ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
> > into
> > ssl_ciphers "AES128-SHA";
> This cannot work, HTTP/2.0 only always certain ciphers [3]. The fact the
> it works in Apache means Apache violates the RFC.
> Also see nginx manual [4].

​​That is a wrong assumption and an inadequate blame on Apache.

The list you are mentioning and which is directly linked in the nginx
example you referenced (RFC 7540, Appendix A
<>)​ ​uses the MAY keyword,
defined as 'truly optional'.
nginx has made the choice​ of strictly following RFC advice, but technology
who don't make no violation *per se*.

> [3]
> [4]

Thus, this configuration *can* work and the problem is definitely elsewhere
(cf. Valentin message for example).
*B. R.*​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list