SSL default changes?
Grant
emailgrant at gmail.com
Mon Mar 11 19:37:37 UTC 2013
>> It looks like these changes from default are required for SSL session
>> resumption and to mitigate the BEAST SSL vulnerability:
>>
>> ssl_session_cache shared:SSL:10m;
>> ssl_ciphers RC4:HIGH:!aNULL:!MD5;
>> ssl_prefer_server_ciphers on;
>>
>> Should the defaults be changed to these?
>
> The BEAST attack could be mitigated by various means, including
> switching to TLS 1.1/1.2 (you probably do not want to due to
> compatibility reasons) and/or fixing it on a client side (which is
> considered to be right solution and already implemented by all
> modern browsers).
>
> Use of the RC4 cipher is more a workaround than a permanent
> solution, and hence there are no plans to make it the default.
OK, why not enable SSL session resumption by default?
ssl_session_cache shared:SSL:10m;
- Grant
More information about the nginx
mailing list