[PATCH] update default ssl_ciphers value

Maxim Dounin mdounin at mdounin.ru
Mon Aug 3 23:10:13 UTC 2015


Hello!

On Mon, Aug 03, 2015 at 11:53:08PM +0100, Mike MacCana wrote:

> Thanks for the quick response again Maxim. You make some excellent points:
> 
> 1. Best practices for cipher lists change over time.
> 2. ssl_prefer_server_ciphers is off by default
> 
> For now: how about:
>  - We use up to date values for NGX_DEFAULT_CIPHERS
>  - We turn on ssl_prefer_server_ciphers by default - having the server
> control the negotiation is recommended in every configuration guide
>  - We add an up to date ssl_ciphers example to the default config file
>  - Above the example, we add a comment with the point you've made above:
> 
> # Security note: best practices for ssl_ciphers frequently change over time.
> # Check https://mozilla.github.io/server-side-tls/ssl-config-generator for
> more recent settings
> # ssl_ciphers  ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
> DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-
> RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-
> SHA384:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:
> HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA
> 
> This would resolve the SSL Labs and Chrome warnings that currently show up
> with nginx, but make sure people configuring nginx are aware that they need
> to keep up to date, and shows them where they can get a more recent config.
> 
> If the user is lazy and doesn't follow ssl happenings, they're still better
> out of the box. And actually giving them a URL to check might make them be
> a little more security conscious.
> 
> How does that sound?

The number of false claims in your messages and the fact that you 
are not reading what I already wrote makes this discussion 
pointless, sorry.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx-devel mailing list