"nginx does not suck at ssl"
Grant
emailgrant at gmail.com
Mon Mar 11 19:45:10 UTC 2013
>> After reading "nginx does not suck at ssl":
>>
>> http://matt.io/entry/ur
>>
>> I'm using:
>>
>> ssl_ciphers
>> ALL:!aNULL:!ADH:!eNULL:!MEDIUM:!LOW:!EXP:!kEDH:RC4+RSA:+HIGH;
>
> Some of us use the following to mitigate BEAST attacks:
> ssl_ciphers ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!aNULL:!MD5:!EDH;
Thanks Mark, this is supposed to mitigate BEAST as well and it's only
slightly different than the default:
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
Here is mex's link again:
https://www.ssllabs.com/ssltest/
I use the following for better performance:
ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;
Reference:
http://www.hybridforge.com/blog/nginx-ssl-ciphers-and-pci-compliance
- Grant
More information about the nginx
mailing list