[PATCH] update default ssl_ciphers value

Mike MacCana mike.maccana at gmail.com
Tue Aug 4 07:59:01 UTC 2015


Maxim I apologise if I've offended you or not understood something you
wrote. My methodology was as follows:

 - Install nginx
 - Enable ssl
 - Run the SSL Labs scan and a current version of Chrome
 - Provide a patch that fixes the errors reported by those tools

Do you believe the provided SSL Labs report or Chrome is in error, or that
something is wrong with the testing methodology above?






On Tue, Aug 4, 2015 at 12:10 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:

> Hello!
>
> On Mon, Aug 03, 2015 at 11:53:08PM +0100, Mike MacCana wrote:
>
> > Thanks for the quick response again Maxim. You make some excellent
> points:
> >
> > 1. Best practices for cipher lists change over time.
> > 2. ssl_prefer_server_ciphers is off by default
> >
> > For now: how about:
> >  - We use up to date values for NGX_DEFAULT_CIPHERS
> >  - We turn on ssl_prefer_server_ciphers by default - having the server
> > control the negotiation is recommended in every configuration guide
> >  - We add an up to date ssl_ciphers example to the default config file
> >  - Above the example, we add a comment with the point you've made above:
> >
> > # Security note: best practices for ssl_ciphers frequently change over
> time.
> > # Check https://mozilla.github.io/server-side-tls/ssl-config-generator
> for
> > more recent settings
> > # ssl_ciphers  ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
> > DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-
> > RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-
> > SHA384:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:
> > HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA
> >
> > This would resolve the SSL Labs and Chrome warnings that currently show
> up
> > with nginx, but make sure people configuring nginx are aware that they
> need
> > to keep up to date, and shows them where they can get a more recent
> config.
> >
> > If the user is lazy and doesn't follow ssl happenings, they're still
> better
> > out of the box. And actually giving them a URL to check might make them
> be
> > a little more security conscious.
> >
> > How does that sound?
>
> The number of false claims in your messages and the fact that you
> are not reading what I already wrote makes this discussion
> pointless, sorry.
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20150804/366c3436/attachment.html>


More information about the nginx-devel mailing list