SSL default changes?
Maxim Dounin
mdounin at mdounin.ru
Mon Mar 11 10:53:24 UTC 2013
Hello!
On Sun, Mar 10, 2013 at 09:48:47PM -0700, Grant wrote:
> It looks like these changes from default are required for SSL session
> resumption and to mitigate the BEAST SSL vulnerability:
>
> ssl_session_cache shared:SSL:10m;
> ssl_ciphers RC4:HIGH:!aNULL:!MD5;
> ssl_prefer_server_ciphers on;
>
> Should the defaults be changed to these?
The BEAST attack could be mitigated by various means, including
switching to TLS 1.1/1.2 (you probably do not want to due to
compatibility reasons) and/or fixing it on a client side (which is
considered to be right solution and already implemented by all
modern browsers).
Use of the RC4 cipher is more a workaround than a permanent
solution, and hence there are no plans to make it the default.
--
Maxim Dounin
http://nginx.org/en/donation.html
More information about the nginx
mailing list