Default SSL protocols

Igor Sysoev is at rambler-co.ru
Sun Oct 4 23:40:04 MSD 2009


On Sat, Oct 03, 2009 at 11:07:44PM +0100, Matt Goodall wrote:

> I just noticed that the SSL module enables SSLv2 by default,
> "ssl_protocols SSLv2 SSLv3 TLSv1 " (see
> http://wiki.nginx.org/NginxHttpSslModule#ssl_protocols).
> 
> Given that SSLv2 is generally considered "weak" these days
> (http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Security) and is
> disabled in most modern browsers would it make sense to change the
> default to "ssl_protocols SSLv3 TLSv1"?

I thought to disable it by default some time ago.
I will disable it in next 0.8.18 version.


-- 
Igor Sysoev
http://sysoev.ru/en/





More information about the nginx mailing list