Hello! On Mon, Aug 03, 2015 at 11:53:08PM +0100, Mike MacCana wrote:
> Thanks for the quick response again Maxim. You make some excellent points: > > 1. Best practices for cipher lists change over time. > 2. ssl_prefer_server_ciphers is off by default > > For now: how about: > - We use up to date values for NGX_DEFAULT_CIPHERS > - We turn on ssl_prefer_server_ciphers by default - having the server > control the negotiation is recommended in every configuration guide > - We add an up to date ssl_ciphers example to the default config file > - Above the example, we add a comment with the point you've made above: > > # Security note: best practices for ssl_ciphers frequently change over time. > # Check https://mozilla.github.io/server-side-tls/ssl-config-generator for > more recent settings > # ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: > DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE- > RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256- > SHA384:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256: > HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA > > This would resolve the SSL Labs and Chrome warnings that currently show up > with nginx, but make sure people configuring nginx are aware that they need > to keep up to date, and shows them where they can get a more recent config. > > If the user is lazy and doesn't follow ssl happenings, they're still better > out of the box. And actually giving them a URL to check might make them be > a little more security conscious. > > How does that sound? The number of false claims in your messages and the fact that you are not reading what I already wrote makes this discussion pointless, sorry. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
