[PATCH] Disable Anonymous ECDH ciphersuites by default

Rob Stradling rob.stradling at comodo.com
Tue Jun 14 16:17:53 MSD 2011


On Tuesday 14 Jun 2011 13:04:18 António P. P. Almeida wrote:
> On 14 Jun 2011 09h58 WEST, rob.stradling at comodo.com wrote:
<snip>
> > -#define NGX_DEFAULT_CIPHERS  "HIGH:!ADH:!MD5"
> > +#define NGX_DEFAULT_CIPHERS  "HIGH:!aNULL:!MD5"
<snip>
> Shouldn't there be some sort of check for the OpenSSH version?
> 
> #if OPENSSL_VERSION_NUMBER >= 0x100000000
>   (after 1.x code)
> #else
>   (before 1.x code)
> #endif
> 
> If I understood correctly this is something that appeared in 1.x. not
> existing in 0.9.x.
> 
> Is it so?

Yes, the behaviour changed between OpenSSL 0.9.x and 1.x: the ECC ciphersuites 
are now included in the ALL, DEFAULT, HIGH, etc, cipher strings.  However, 
there is no need for any check on the OpenSSL version number.  Changing !ADH 
to !aNULL is also appropriate for 0.9.x.

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online



More information about the nginx-devel mailing list