It looks like these changes from default are required for SSL session resumption and to mitigate the BEAST SSL vulnerability: ssl_session_cache shared:SSL:10m; ssl_ciphers RC4:HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; Should the defaults be changed to these? - Grant
on 2013-03-11 05:49
on 2013-03-11 11:53
Hello! On Sun, Mar 10, 2013 at 09:48:47PM -0700, Grant wrote: > It looks like these changes from default are required for SSL session > resumption and to mitigate the BEAST SSL vulnerability: > > ssl_session_cache shared:SSL:10m; > ssl_ciphers RC4:HIGH:!aNULL:!MD5; > ssl_prefer_server_ciphers on; > > Should the defaults be changed to these? The BEAST attack could be mitigated by various means, including switching to TLS 1.1/1.2 (you probably do not want to due to compatibility reasons) and/or fixing it on a client side (which is considered to be right solution and already implemented by all modern browsers). Use of the RC4 cipher is more a workaround than a permanent solution, and hence there are no plans to make it the default. -- Maxim Dounin http://nginx.org/en/donation.html
on 2013-03-11 20:38
> switching to TLS 1.1/1.2 (you probably do not want to due to > compatibility reasons) and/or fixing it on a client side (which is > considered to be right solution and already implemented by all > modern browsers). > > Use of the RC4 cipher is more a workaround than a permanent > solution, and hence there are no plans to make it the default. OK, why not enable SSL session resumption by default? ssl_session_cache shared:SSL:10m; - Grant
on 2013-03-12 10:49
Hello! On Mon, Mar 11, 2013 at 12:37:37PM -0700, Grant wrote: > > switching to TLS 1.1/1.2 (you probably do not want to due to > > compatibility reasons) and/or fixing it on a client side (which is > > considered to be right solution and already implemented by all > > modern browsers). > > > > Use of the RC4 cipher is more a workaround than a permanent > > solution, and hence there are no plans to make it the default. > > OK, why not enable SSL session resumption by default? > > ssl_session_cache shared:SSL:10m; E.g. because it won't work on some platforms. -- Maxim Dounin http://nginx.org/en/donation.html
on 2013-03-12 19:59
>> OK, why not enable SSL session resumption by default? >> >> ssl_session_cache shared:SSL:10m; > > E.g. because it won't work on some platforms. I'm sorry to bother about this, but do you mean it won't wok on some servers or in some browsers? If you mean browsers, will it prevent SSL from working at all in those browsers or would a browser error appear? - Grant
on 2013-03-13 00:01
Hello! On Tue, Mar 12, 2013 at 11:58:51AM -0700, Grant wrote: > >> OK, why not enable SSL session resumption by default? > >> > >> ssl_session_cache shared:SSL:10m; > > > > E.g. because it won't work on some platforms. > > I'm sorry to bother about this, but do you mean it won't wok on some > servers or in some browsers? If you mean browsers, will it prevent > SSL from working at all in those browsers or would a browser error > appear? It won't work on some server platforms (e.g. on modern win32, see http://nginx.org/en/docs/windows.html). -- Maxim Dounin http://nginx.org/en/donation.html
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.