On 1/12/2014 9:42 AM, Axel wrote:
I juggled around with ssl ciphers and tried to disable RC4, but still be
able to serve IE under WinXP.

Those ciphers are my choice - if anyone has 'better' ciphers or prefers
another order i am pleased to hear...

ssl_ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-
AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA256:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-

CBC3-SHA:AES256-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!PSK:!RC4:!MD5:!LOW;

HIGH will add in only high-grade ciphers, so you don't need to add them
manually or exclude export- and low-grade ciphers.  You can
use @STRENGTH to sort the list for you instead of doing it by hand:

ssl_ciphers HIGH:!CAMELLIA:!RC4:!PSK:!aNULL:@STRENGTH;

XP schannel (IE, Outlook, et al) lacks AES support, IE6 only does SSLv3.

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply via email to