SSL default changes?

It looks like these changes from default are required for SSL session
resumption and to mitigate the BEAST SSL vulnerability:

ssl_session_cache shared:SSL:10m;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

Should the defaults be changed to these?

  • Grant

Hello!

On Sun, Mar 10, 2013 at 09:48:47PM -0700, Grant wrote:

It looks like these changes from default are required for SSL session
resumption and to mitigate the BEAST SSL vulnerability:

ssl_session_cache shared:SSL:10m;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

Should the defaults be changed to these?

The BEAST attack could be mitigated by various means, including
switching to TLS 1.1/1.2 (you probably do not want to due to
compatibility reasons) and/or fixing it on a client side (which is
considered to be right solution and already implemented by all
modern browsers).

Use of the RC4 cipher is more a workaround than a permanent
solution, and hence there are no plans to make it the default.


Maxim D.
http://nginx.org/en/donation.html

switching to TLS 1.1/1.2 (you probably do not want to due to
compatibility reasons) and/or fixing it on a client side (which is
considered to be right solution and already implemented by all
modern browsers).

Use of the RC4 cipher is more a workaround than a permanent
solution, and hence there are no plans to make it the default.

OK, why not enable SSL session resumption by default?

ssl_session_cache shared:SSL:10m;

  • Grant

Hello!

On Mon, Mar 11, 2013 at 12:37:37PM -0700, Grant wrote:

switching to TLS 1.1/1.2 (you probably do not want to due to
compatibility reasons) and/or fixing it on a client side (which is
considered to be right solution and already implemented by all
modern browsers).

Use of the RC4 cipher is more a workaround than a permanent
solution, and hence there are no plans to make it the default.

OK, why not enable SSL session resumption by default?

ssl_session_cache shared:SSL:10m;

E.g. because it won’t work on some platforms.


Maxim D.
http://nginx.org/en/donation.html

Hello!

On Tue, Mar 12, 2013 at 11:58:51AM -0700, Grant wrote:

OK, why not enable SSL session resumption by default?

ssl_session_cache shared:SSL:10m;

E.g. because it won’t work on some platforms.

I’m sorry to bother about this, but do you mean it won’t wok on some
servers or in some browsers? If you mean browsers, will it prevent
SSL from working at all in those browsers or would a browser error
appear?

It won’t work on some server platforms (e.g. on modern win32, see
http://nginx.org/en/docs/windows.html).


Maxim D.
http://nginx.org/en/donation.html

OK, why not enable SSL session resumption by default?

ssl_session_cache shared:SSL:10m;

E.g. because it won’t work on some platforms.

I’m sorry to bother about this, but do you mean it won’t wok on some
servers or in some browsers? If you mean browsers, will it prevent
SSL from working at all in those browsers or would a browser error
appear?

  • Grant

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs