[PATCH] Proxy: added the "proxy_ssl_ciphers" directive.
Maxim Dounin
mdounin at mdounin.ru
Tue Sep 24 13:37:56 UTC 2013
Hello!
On Mon, Sep 23, 2013 at 03:55:36PM -0700, Piotr Sikora wrote:
> Hi Maxim,
>
> >> Proxy: added the "proxy_ssl_ciphers" directive.
> >
> > Already asked in another thread if it really worth adding.
>
> Yes, it is, and in my experience this one is much more useful than
> "proxy_ssl_protocols".
>
> Basically, there are 2 categories of broken SSL servers:
> 1. cannot accept ClientHello that's > 255 bytes,
> 2. cannot downgrade gracefully to a common supported TLS version.
Fair enough, thanks for detailed answer.
[...]
> > This modifies current behaviour, and only allows to use
> > HIGH:!aNULL:!MD5 chipers by default. Are there any specific
> > reasons to?
> >
> > The "!aNULL" looks especially wierd, as we don't check peers
> > certificates anyway.
>
> Good catch! Because of the issues above, we specify our own (rather
> limited) list of cipher suites that we advertise to the backend
> servers during SSL handshake, so I didn't notice that the defaults I
> provided are much stricter than necessary.
>
> In that case, I'd probably stick with "DEFAULT" (updated patch will
> follow)... Just keep in mind that nginx compiled against OpenSSL-1.0.1
> will be sending ClientHello that's 316 bytes in size and will have
> issue with broken SSL servers... Whether or not that's something that
> nginx should worry about it's another matter, but just to give you
> some perspective, last time I checked it was ~0.15% of servers that
> didn't like big ClientHello messages.
Given the fact that even with "HIGH:!aNULL:!MD5" nginx with recent
OpenSSL results in the 300+ bytes client hello messages,
preserving "DEFAULT" is probably good enough. We may consider
adding relevant hints to the documentation if there will be many
problem reports.
--
Maxim Dounin
http://nginx.org/en/donation.html
More information about the nginx-devel
mailing list