[PATCH] update default ssl_ciphers value

Mike MacCana mike.maccana at gmail.com
Mon Aug 3 22:53:08 UTC 2015


Thanks for the quick response again Maxim. You make some excellent points:

1. Best practices for cipher lists change over time.
2. ssl_prefer_server_ciphers is off by default

For now: how about:
 - We use up to date values for NGX_DEFAULT_CIPHERS
 - We turn on ssl_prefer_server_ciphers by default - having the server
control the negotiation is recommended in every configuration guide
 - We add an up to date ssl_ciphers example to the default config file
 - Above the example, we add a comment with the point you've made above:

# Security note: best practices for ssl_ciphers frequently change over time.
# Check https://mozilla.github.io/server-side-tls/ssl-config-generator for
more recent settings
# ssl_ciphers  ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-
RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-
SHA384:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:
HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA

This would resolve the SSL Labs and Chrome warnings that currently show up
with nginx, but make sure people configuring nginx are aware that they need
to keep up to date, and shows them where they can get a more recent config.

If the user is lazy and doesn't follow ssl happenings, they're still better
out of the box. And actually giving them a URL to check might make them be
a little more security conscious.

How does that sound?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20150803/b3d67f5c/attachment.html>


More information about the nginx-devel mailing list