[PATCH] Disable Anonymous ECDH ciphersuites by default
Rob Stradling
rob.stradling at comodo.com
Tue Jun 14 12:58:21 MSD 2011
Hi. NGX_DEFAULT_CIPHERS specifies !ADH to exclude the Anonymous DH
ciphersuites. With OpenSSL-0.x, this has the effect of disabling all
ciphersuites that offer no authentication. However, OpenSSL-1.x adds support
for Anonymous ECDH ciphersuites, and these are not disabled by !ADH.
!aNULL is the appropriate cipher string for disabling all anonymous
ciphersuites. [1] observes that anonymous ciphersuites 'are vulnerable to a
"man in the middle'' attack and so their use is normally discouraged.'
Trivial patch attached.
Apache httpd just committed a patch for the same issue [2].
[1] http://www.openssl.org/docs/apps/ciphers.html
[2] https://issues.apache.org/bugzilla/show_bug.cgi?id=51363
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
-------------- next part --------------
A non-text attachment was scrubbed...
Name: disable_aecdh.patch
Type: text/x-patch
Size: 1114 bytes
Desc: not available
URL: <http://nginx.org/pipermail/nginx-devel/attachments/20110614/85983a5f/attachment.bin>
More information about the nginx-devel
mailing list