[PATCH] update default ssl_ciphers value
Maxim Dounin
mdounin at mdounin.ru
Mon Aug 3 23:10:13 UTC 2015
Hello!
On Mon, Aug 03, 2015 at 11:53:08PM +0100, Mike MacCana wrote:
> Thanks for the quick response again Maxim. You make some excellent points:
>
> 1. Best practices for cipher lists change over time.
> 2. ssl_prefer_server_ciphers is off by default
>
> For now: how about:
> - We use up to date values for NGX_DEFAULT_CIPHERS
> - We turn on ssl_prefer_server_ciphers by default - having the server
> control the negotiation is recommended in every configuration guide
> - We add an up to date ssl_ciphers example to the default config file
> - Above the example, we add a comment with the point you've made above:
>
> # Security note: best practices for ssl_ciphers frequently change over time.
> # Check https://mozilla.github.io/server-side-tls/ssl-config-generator for
> more recent settings
> # ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
> DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-
> RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-
> SHA384:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:
> HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA
>
> This would resolve the SSL Labs and Chrome warnings that currently show up
> with nginx, but make sure people configuring nginx are aware that they need
> to keep up to date, and shows them where they can get a more recent config.
>
> If the user is lazy and doesn't follow ssl happenings, they're still better
> out of the box. And actually giving them a URL to check might make them be
> a little more security conscious.
>
> How does that sound?
The number of false claims in your messages and the fact that you
are not reading what I already wrote makes this discussion
pointless, sorry.
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list