After reading "nginx does not suck at ssl": http://matt.io/entry/ur I'm using: ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!MEDIUM:!LOW:!EXP:!kEDH:RC4+RSA:+HIGH; Is this a good choice? - Grant
on 2013-03-10 06:55
on 2013-03-10 11:03
one quote from that post i can confirm: > nobody has any idea how SSL performance works esp. when it comes to CIPER1 vs CIPHER, compared oin terms of speed and security. what i can suggest to test if your ssl-implementation is stil secure from a cipher-pov is https://www.ssllabs.com/ssltest/ Grant Wrote: ------------------------------------------------------- > > - Grant > > _______________________________________________ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Posted at Nginx Forum: http://forum.nginx.org/read.php?2,237175,237179#msg-237179
on 2013-03-10 22:41
> one quote from that post i can confirm: > >> nobody has any idea how SSL performance works > > esp. when it comes to CIPER1 vs CIPHER, compared > oin terms of speed and security. > > what i can suggest to test if your ssl-implementation is stil > secure from a cipher-pov is > https://www.ssllabs.com/ssltest/ All things considered, do you think it's best to leave ssl_ciphers default? - Grant
on 2013-03-11 09:42
On Sat, 9 Mar 2013 21:55:13 -0800, Grant <emailgrant@gmail.com> wrote: > After reading "nginx does not suck at ssl": > > http://matt.io/entry/ur > > I'm using: > > ssl_ciphers > ALL:!aNULL:!ADH:!eNULL:!MEDIUM:!LOW:!EXP:!kEDH:RC4+RSA:+HIGH; Some of us use the following to mitigate BEAST attacks: ssl_ciphers ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!aNULL:!MD5:!EDH; r. M.
on 2013-03-11 20:45
> ssl_ciphers ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!aNULL:!MD5:!EDH; Thanks Mark, this is supposed to mitigate BEAST as well and it's only slightly different than the default: ssl_ciphers RC4:HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; Here is mex's link again: https://www.ssllabs.com/ssltest/ I use the following for better performance: ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH; Reference: http://www.hybridforge.com/blog/nginx-ssl-ciphers-... - Grant
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.