SSL ciphers preference

B.R. reallfqq-nginx at yahoo.fr
Mon Sep 1 18:35:10 UTC 2014


Loud and clear.

I am no expert at OpenSSL cypher suites.
I found that resource
<https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy>
that might prove useful on their own website.
At least, that is a start to understand what you are doing...

Thanks!
---
*B. R.*


On Mon, Sep 1, 2014 at 8:07 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:

> Hello!
>
> On Mon, Sep 01, 2014 at 04:56:00PM +0200, B.R. wrote:
>
> > Hello,
> >
> > I filled a (now closed, because erroneous) enhancement ticket:
> > http://trac.nginx.org/nginx/ticket/619
> >
> > As it appears, the change I noticed in the SSl test did not result from
> my
> > malformed ciphers list.
> > Right about that.
> >
> > However, what is intriguing is the answer Maxim gave me on the second
> part
> > of my proposal: the default activation of ssl_prefer_server_ciphers
> > <
> http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers
> >
> > .
> >
> > He saif that this option put to on made sense with a custome list but not
> > with the default one.
> >
> > I confirm that the results of my tests changed. It was no because of the
> > ciphers list, but it was due to that other change.
> > Thus, the ciphers used by the emulated clients of the test changed
> > following the activation of that option, allowing me to pass the 'Forward
> > Secrecy' part of the test, resulting in an upgrade of my score from A-
> to A.
> >
> > I jsut checked it again, removing my buggy ciphers list and
> (de)activating
> > de rprefer' option.
> >
> > If using that option with the default ciphers list was useless, what had
> > that change an impact on the results of my test?
>
> Switching on or off ssl_prefer_server_ciphers obviously may change
> score as reported by SSL Labs, since it can (and likely will)
> change ciphers negotiated in some cases.  But it's usually not
> a good idea to switch it on unless you understand the results and
> have a good reason to do so.
>
> By default, OpenSSL sorts ciphers per symmetric encryption
> strength, and prefers ciphers with forward secrecy if strength is
> identical.  As a result you may get better forward secrecy support
> if you'll switch on ssl_prefer_server_ciphers - or not, depending
> on actual ciphers supported by clients.  E.g., AES256-SHA will be
> preferred over ECDHE-RSA-AES128-SHA, which is probably not what
> you want.
>
> Another example: DHE-RSA-AES256-SHA256 will be preferred over
> ECDHE-RSA-AES128-SHA256.  On the other hand, you probably
> don't want DHE to be used at all for performance reasons.
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20140901/0dc0f3bc/attachment.html>


More information about the nginx mailing list