"nginx does not suck at ssl"

Grant emailgrant at gmail.com
Mon Mar 11 19:45:10 UTC 2013


>> After reading "nginx does not suck at ssl":
>>
>> http://matt.io/entry/ur
>>
>> I'm using:
>>
>> ssl_ciphers
>> ALL:!aNULL:!ADH:!eNULL:!MEDIUM:!LOW:!EXP:!kEDH:RC4+RSA:+HIGH;
>
> Some of us use the following to mitigate BEAST attacks:
> ssl_ciphers ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!aNULL:!MD5:!EDH;

Thanks Mark, this is supposed to mitigate BEAST as well and it's only
slightly different than the default:

ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

Here is mex's link again:
https://www.ssllabs.com/ssltest/

I use the following for better performance:

ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;

Reference:
http://www.hybridforge.com/blog/nginx-ssl-ciphers-and-pci-compliance

- Grant



More information about the nginx mailing list