HTTP/2 without forward secrecy (Diffie-Hellman)

B.R. reallfqq-nginx at yahoo.fr
Tue Aug 16 13:55:13 UTC 2016


On Mon, Aug 15, 2016 at 3:04 PM, Lukas Tribus <luky-37 at hotmail.com> wrote:

> > For that I need to disable forward secrecy (since it is only a test
> > environment security is not an issue)
> >
> > So I changed the "ssl_ciphers" in my /sites-enabled/default file from:
> >
> > ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
> > into
> > ssl_ciphers "AES128-SHA";
>
> This cannot work, HTTP/2.0 only always certain ciphers [3]. The fact the
> it works in Apache means Apache violates the RFC.
>
> Also see nginx manual [4].
>

​​That is a wrong assumption and an inadequate blame on Apache.

The list you are mentioning and which is directly linked in the nginx
example you referenced (RFC 7540, Appendix A
<https://tools.ietf.org/html/rfc7540#appendix-A>)​ ​uses the MAY keyword,
defined as 'truly optional'.
nginx has made the choice​ of strictly following RFC advice, but technology
who don't make no violation *per se*.
​


> [3] http://http2.github.io/http2-spec/#TLSUsage
> [4] http://nginx.org/en/docs/http/ngx_http_v2_module.html#example

​
Thus, this configuration *can* work and the problem is definitely elsewhere
(cf. Valentin message for example).
---
*B. R.*​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20160816/849a95dc/attachment.html>


More information about the nginx mailing list