HTTP/2 without forward secrecy (Diffie-Hellman)
reallfqq-nginx at yahoo.fr
Tue Aug 16 13:55:13 UTC 2016
On Mon, Aug 15, 2016 at 3:04 PM, Lukas Tribus <luky-37 at hotmail.com> wrote:
> > For that I need to disable forward secrecy (since it is only a test
> > environment security is not an issue)
> > So I changed the "ssl_ciphers" in my /sites-enabled/default file from:
> > ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
> > into
> > ssl_ciphers "AES128-SHA";
> This cannot work, HTTP/2.0 only always certain ciphers . The fact the
> it works in Apache means Apache violates the RFC.
> Also see nginx manual .
That is a wrong assumption and an inadequate blame on Apache.
The list you are mentioning and which is directly linked in the nginx
example you referenced (RFC 7540, Appendix A
<https://tools.ietf.org/html/rfc7540#appendix-A>) uses the MAY keyword,
defined as 'truly optional'.
nginx has made the choice of strictly following RFC advice, but technology
who don't make no violation *per se*.
>  http://http2.github.io/http2-spec/#TLSUsage
>  http://nginx.org/en/docs/http/ngx_http_v2_module.html#example
Thus, this configuration *can* work and the problem is definitely elsewhere
(cf. Valentin message for example).
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nginx