On Thu, Jan 9, 2014 at 4:53 AM, Lukas Tribus <luky...@hotmail.com> wrote: >> My current values in my nginx configuration for ssl_protocols/ciphers >> what i use is this: >> >> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; >> ssl_ciphers RC4:HIGH:!aNULL:!MD5; >> ssl_prefer_server_ciphers on; >> >> What are todays recommendations for ssl_ciphers option for supporting >> all current OSes and browsers, even Windows XP users with IE? >> Can i disable RC4? > > Personally, I'm following Mozillas deployment recommendations: > https://wiki.mozilla.org/Security/Server_Side_TLS Mozilla claims RC4 is "High Grade" encryption even though it has serious vulnerabilities when used in TLS (https://bugzilla.mozilla.org/show_bug.cgi?id=947149). They remove 3-key TDEA with 112-bits of security (which is currently approved by ECRYPT, ISO/IEC, NIST, and NESSIE).
Related, their browser claim plain text HTTP is good (no user warnings), and HTTPS with a self signed is bad (big red flags for opportunistic encryption). When did plain text become better than cipher text? And they also rewarded Trustwave's bad behavior way back when (https://bugzilla.mozilla.org/show_bug.cgi?id=724929). I'm not sure I would follow Mozilla's lead. Jeff _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
