On 9/01/2014 8:29 PM, pekka.pan...@sofor.fi wrote:
Hi
My current values in my nginx configuration for ssl_protocols/ciphers
what i use is this:
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
What are todays recommendations for ssl_ciphers option for supporting
all current OSes and browsers, even Windows XP users with IE?
Can i disable RC4?
My nginx is compiled with OpenSSL v1.0.1.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
The current consensus suggests that mitigating RC4 vulnerabilities is
more important than BEAST attack concerns, which are all but mitigated
client-side. If you want to deploy protocols to cater for a wide range
of browsers (including XP IE) implement the following (that will
fall-back to RC4 as a last resort):
ssl_ciphers EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4
EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS
+RC4 RC4
Otherwise, exclude RC4 with the following:
ssl_ciphers EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4
EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4
--
syn.bsdbox.co
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
