<div dir="ltr"><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">Loud and clear.<br><br></div><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">I am no expert at OpenSSL cypher suites.<br>
</div><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">I found <a href="https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy">that resource</a> that might prove useful on their own website.<br>
</div><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">At least, that is a start to understand what you are doing...<br></div><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">
<br></div><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">Thanks!<br></div><div class="gmail_extra"><div><font size="1"><span style="color:rgb(102,102,102)">---<br></span><b><span style="color:rgb(102,102,102)">B. R.</span></b><span style="color:rgb(102,102,102)"></span></font></div>
<br><br><div class="gmail_quote">On Mon, Sep 1, 2014 at 8:07 PM, Maxim Dounin <span dir="ltr"><<a href="mailto:mdounin@mdounin.ru" target="_blank">mdounin@mdounin.ru</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello!<br>
<div class=""><br>
On Mon, Sep 01, 2014 at 04:56:00PM +0200, B.R. wrote:<br>
<br>
> Hello,<br>
><br>
> I filled a (now closed, because erroneous) enhancement ticket:<br>
> <a href="http://trac.nginx.org/nginx/ticket/619" target="_blank">http://trac.nginx.org/nginx/ticket/619</a><br>
><br>
> As it appears, the change I noticed in the SSl test did not result from my<br>
> malformed ciphers list.<br>
> Right about that.<br>
><br>
> However, what is intriguing is the answer Maxim gave me on the second part<br>
> of my proposal: the default activation of ssl_prefer_server_ciphers<br>
</div>> <<a href="http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers" target="_blank">http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers</a>><br>
<div class="">> .<br>
><br>
> He saif that this option put to on made sense with a custome list but not<br>
> with the default one.<br>
><br>
> I confirm that the results of my tests changed. It was no because of the<br>
> ciphers list, but it was due to that other change.<br>
> Thus, the ciphers used by the emulated clients of the test changed<br>
> following the activation of that option, allowing me to pass the 'Forward<br>
> Secrecy' part of the test, resulting in an upgrade of my score from A- to A.<br>
><br>
> I jsut checked it again, removing my buggy ciphers list and (de)activating<br>
> de rprefer' option.<br>
><br>
> If using that option with the default ciphers list was useless, what had<br>
> that change an impact on the results of my test?<br>
<br>
</div>Switching on or off ssl_prefer_server_ciphers obviously may change<br>
score as reported by SSL Labs, since it can (and likely will)<br>
change ciphers negotiated in some cases. But it's usually not<br>
a good idea to switch it on unless you understand the results and<br>
have a good reason to do so.<br>
<br>
By default, OpenSSL sorts ciphers per symmetric encryption<br>
strength, and prefers ciphers with forward secrecy if strength is<br>
identical. As a result you may get better forward secrecy support<br>
if you'll switch on ssl_prefer_server_ciphers - or not, depending<br>
on actual ciphers supported by clients. E.g., AES256-SHA will be<br>
preferred over ECDHE-RSA-AES128-SHA, which is probably not what<br>
you want.<br>
<br>
Another example: DHE-RSA-AES256-SHA256 will be preferred over<br>
ECDHE-RSA-AES128-SHA256. On the other hand, you probably<br>
don't want DHE to be used at all for performance reasons.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Maxim Dounin<br>
<a href="http://nginx.org/" target="_blank">http://nginx.org/</a><br>
<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</font></span></blockquote></div><br></div></div>