[PATCH] Disable Anonymous ECDH ciphersuites by default
Rob Stradling
rob.stradling at comodo.com
Tue Jun 14 16:17:53 MSD 2011
On Tuesday 14 Jun 2011 13:04:18 António P. P. Almeida wrote:
> On 14 Jun 2011 09h58 WEST, rob.stradling at comodo.com wrote:
<snip>
> > -#define NGX_DEFAULT_CIPHERS "HIGH:!ADH:!MD5"
> > +#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
<snip>
> Shouldn't there be some sort of check for the OpenSSH version?
>
> #if OPENSSL_VERSION_NUMBER >= 0x100000000
> (after 1.x code)
> #else
> (before 1.x code)
> #endif
>
> If I understood correctly this is something that appeared in 1.x. not
> existing in 0.9.x.
>
> Is it so?
Yes, the behaviour changed between OpenSSL 0.9.x and 1.x: the ECC ciphersuites
are now included in the ALL, DEFAULT, HIGH, etc, cipher strings. However,
there is no need for any check on the OpenSSL version number. Changing !ADH
to !aNULL is also appropriate for 0.9.x.
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the nginx-devel
mailing list