I mentioned in my last email message that I was investigating discrepancies between your results and mine: I've since confirmed I'd used ssl_dhparam from Mozilla's preferred config and not included this in the actual patch.
I apologise Thomas. Thanks for including your own handshake results as it's given me something to compare against and helped move the discussion forward. With the following setup: - Adding dh_param - nginx hg revision 6217 - 'HIGH:!aNULL:!MD5' as defined in openssl 1.0.1e (too long to paste) I can get an A out of the box - see https://archive.is/fEcdv. I believe this means we're in sync: provided the user keeps openssl up to date, adding dh_param should fix the ssllabs warnings. I was trying to save nginx users some additional work, and not correctly identifying the parameter that resolved the warning was my mistake. Would nginx accept a patch to include dh_params in the example config?
_______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
