[PATCH] update default ssl_ciphers value

Mike MacCana mike.maccana at gmail.com
Tue Aug 4 23:11:39 UTC 2015


I mentioned in my last email message that I was investigating discrepancies
between your results and mine: I've since confirmed I'd used ssl_dhparam
from Mozilla's preferred config and not included this in the actual patch.

I apologise Thomas. Thanks for including your own handshake results as it's
given me something to compare against and helped move the discussion
forward.

With the following setup:
 - Adding dh_param
 - nginx hg revision 6217
 - 'HIGH:!aNULL:!MD5' as defined in openssl 1.0.1e (too long to paste)

I can get an A out of the box - see https://archive.is/fEcdv.

I believe this means we're in sync: provided the user keeps openssl up to
date, adding dh_param should fix the ssllabs warnings.

I was trying to save nginx users some additional work, and not correctly
identifying the parameter that resolved the warning was my mistake.

Would nginx accept a patch to include dh_params in the example config?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20150805/bc318a2a/attachment.html>


More information about the nginx-devel mailing list