SSL ciphers, disable or not to disable RC4?

nano nanotek at bsdbox.co
Thu Jan 9 09:42:04 UTC 2014


On 9/01/2014 8:29 PM, Pekka.Panula at sofor.fi wrote:
> Hi
>
> My current values in my nginx configuration for ssl_protocols/ciphers
> what i use is this:
>
> ssl_protocols      SSLv3 TLSv1 TLSv1.1 TLSv1.2;
> ssl_ciphers  RC4:HIGH:!aNULL:!MD5;
> ssl_prefer_server_ciphers   on;
>
> What are todays recommendations for ssl_ciphers option for supporting
> all current OSes and browsers, even Windows XP users with IE?
> Can i disable RC4?
>
> My nginx is compiled with OpenSSL v1.0.1.
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>

The current consensus suggests that mitigating RC4 vulnerabilities is 
more important than BEAST attack concerns, which are all but mitigated 
client-side. If you want to deploy protocols to cater for a wide range 
of browsers (including XP IE) implement the following (that will 
fall-back to RC4 as a last resort):

ssl_ciphers EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 
EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS 
+RC4 RC4

Otherwise, exclude RC4 with the following:

ssl_ciphers EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 
EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4


-- 
syn.bsdbox.co



More information about the nginx mailing list