Default SSL protocols

Matt Goodall matt.goodall at gmail.com
Sun Oct 4 02:07:44 MSD 2009


Hi,

I just noticed that the SSL module enables SSLv2 by default,
"ssl_protocols SSLv2 SSLv3 TLSv1 " (see
http://wiki.nginx.org/NginxHttpSslModule#ssl_protocols).

Given that SSLv2 is generally considered "weak" these days
(http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Security) and is
disabled in most modern browsers would it make sense to change the
default to "ssl_protocols SSLv3 TLSv1"?

- Matt





More information about the nginx mailing list