"A" Grade SSL/TLS with Nginx and StartSSL

[W-Mark Kubacki]

2013-10-15 Piotr Sikora <piotr at cloudflare.com>
  has cited Julien Vehent <julien at linuxwall.info>:
>
> ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';

Why did you sort the ciphers in this particular order?

If you wanted to prefer AES128 over AES256 over RC4 you could write:
# ssl_ciphers 'AES128:AES256:RC4+SHA:!aNULL:!PSK:!SRP';
See the output of:
# openssl ciphers list -v 'AES128:AES256:RC4+SHA:!aNULL:!PSK'
OpenSSL will order the combinations by strength and include new modes
by default.

Why do you include the weak RC4?
      You don't use SSLv3. The subset of outdated clients not able to
use TLSv1.1 *and* AES properly is diminishing. (They would have been
not been patched for about more than two years and need to repeatedly
(think: millions of times) request the same binary data without Nginx
changing the response…)

Given that AES256 boils down to 2**99.5 bits attack (time/step)
complexity [1] and AES128 to 2**100 if you agree with [2] I would
suggest this:
# ssl_ciphers 'AES128:!aNULL:!PSK:!SRP'
… Include PSK and/or SRP if you need them, which almost none webserver
operator does. Optionally with !ECDH if you don't trust the origin of
the random seed values for NIST curves.

-- 
Mark
http://mark.ossdl.de/

[1] http://eprint.iacr.org/2009/317
[2] http://eprint.iacr.org/2002/044