[PATCH] Disable Anonymous ECDH ciphersuites by default

Rob Stradling rob.stradling at comodo.com
Tue Jun 14 12:58:21 MSD 2011


Hi.  NGX_DEFAULT_CIPHERS specifies !ADH to exclude the Anonymous DH 
ciphersuites.  With OpenSSL-0.x, this has the effect of disabling all 
ciphersuites that offer no authentication.  However, OpenSSL-1.x adds support 
for Anonymous ECDH ciphersuites, and these are not disabled by !ADH.

!aNULL is the appropriate cipher string for disabling all anonymous 
ciphersuites.  [1] observes that anonymous ciphersuites 'are vulnerable to a 
"man in the middle'' attack and so their use is normally discouraged.'

Trivial patch attached.

Apache httpd just committed a patch for the same issue [2].

[1] http://www.openssl.org/docs/apps/ciphers.html
[2] https://issues.apache.org/bugzilla/show_bug.cgi?id=51363

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
-------------- next part --------------
A non-text attachment was scrubbed...
Name: disable_aecdh.patch
Type: text/x-patch
Size: 1114 bytes
Desc: not available
URL: <http://nginx.org/pipermail/nginx-devel/attachments/20110614/85983a5f/attachment.bin>


More information about the nginx-devel mailing list