"nginx does not suck at ssl"

After reading “nginx does not suck at ssl”:

http://matt.io/entry/ur

I’m using:

ssl_ciphers
ALL:!aNULL:!ADH:!eNULL:!MEDIUM:!LOW:!EXP:!kEDH:RC4+RSA:+HIGH;

Is this a good choice?

  • Grant

one quote from that post i can confirm:

nobody has any idea how SSL performance works

esp. when it comes to CIPER1 vs CIPHER, compared
oin terms of speed and security.

what i can suggest to test if your ssl-implementation is stil
secure from a cipher-pov is

Grant Wrote:

  • Grant

nginx mailing list
[email protected]
nginx Info Page

Posted at Nginx Forum:

one quote from that post i can confirm:

nobody has any idea how SSL performance works

esp. when it comes to CIPER1 vs CIPHER, compared
oin terms of speed and security.

what i can suggest to test if your ssl-implementation is stil
secure from a cipher-pov is
SSL Server Test (Powered by Qualys SSL Labs)

All things considered, do you think it’s best to leave ssl_ciphers
default?

  • Grant

On Sat, 9 Mar 2013 21:55:13 -0800, Grant [email protected] wrote:

After reading “nginx does not suck at ssl”:

http://matt.io/entry/ur

I’m using:

ssl_ciphers
ALL:!aNULL:!ADH:!eNULL:!MEDIUM:!LOW:!EXP:!kEDH:RC4+RSA:+HIGH;

Some of us use the following to mitigate BEAST attacks:
ssl_ciphers
ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!aNULL:!MD5:!EDH;

r.

M.

ssl_ciphers ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!aNULL:!MD5:!EDH;
Thanks Mark, this is supposed to mitigate BEAST as well and it’s only
slightly different than the default:

ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

Here is mex’s link again:

I use the following for better performance:

ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;

Reference:
http://www.hybridforge.com/blog/nginx-ssl-ciphers-and-pci-compliance

  • Grant