Forum: NGINX SSL ciphers preference

1266aa99d1601b47bbd3ec22affbb81c?d=identicon&s=25 B.R. (Guest)
on 2014-09-01 16:57
(Received via mailing list)
Hello,

I filled a (now closed, because erroneous) enhancement ticket:
http://trac.nginx.org/nginx/ticket/619

As it appears, the change I noticed in the SSl test did not result from
my
malformed ciphers list.
Right about that.

However, what is intriguing is the answer Maxim gave me on the second
part
of my proposal: the default activation of ssl_prefer_server_ciphers
<http://nginx.org/en/docs/http/ngx_http_ssl_module....
.

He saif that this option put to on made sense with a custome list but
not
with the default one.

I confirm that the results of my tests changed. It was no because of the
ciphers list, but it was due to that other change.
Thus, the ciphers used by the emulated clients of the test changed
following the activation of that option, allowing me to pass the
'Forward
Secrecy' part of the test, resulting in an upgrade of my score from A-
to A.

I jsut checked it again, removing my buggy ciphers list and
(de)activating
de rprefer' option.

If using that option with the default ciphers list was useless, what had
that change an impact on the results of my test?
---
*B. R.*
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2014-09-01 20:07
(Received via mailing list)
Hello!

On Mon, Sep 01, 2014 at 04:56:00PM +0200, B.R. wrote:

> of my proposal: the default activation of ssl_prefer_server_ciphers
> Secrecy' part of the test, resulting in an upgrade of my score from A- to A.
>
> I jsut checked it again, removing my buggy ciphers list and (de)activating
> de rprefer' option.
>
> If using that option with the default ciphers list was useless, what had
> that change an impact on the results of my test?

Switching on or off ssl_prefer_server_ciphers obviously may change
score as reported by SSL Labs, since it can (and likely will)
change ciphers negotiated in some cases.  But it's usually not
a good idea to switch it on unless you understand the results and
have a good reason to do so.

By default, OpenSSL sorts ciphers per symmetric encryption
strength, and prefers ciphers with forward secrecy if strength is
identical.  As a result you may get better forward secrecy support
if you'll switch on ssl_prefer_server_ciphers - or not, depending
on actual ciphers supported by clients.  E.g., AES256-SHA will be
preferred over ECDHE-RSA-AES128-SHA, which is probably not what
you want.

Another example: DHE-RSA-AES256-SHA256 will be preferred over
ECDHE-RSA-AES128-SHA256.  On the other hand, you probably
don't want DHE to be used at all for performance reasons.

--
Maxim Dounin
http://nginx.org/
1266aa99d1601b47bbd3ec22affbb81c?d=identicon&s=25 B.R. (Guest)
on 2014-09-01 20:36
(Received via mailing list)
Loud and clear.

I am no expert at OpenSSL cypher suites.
I found that resource
<https://community.qualys.com/blogs/securitylabs/20...
that might prove useful on their own website.
At least, that is a start to understand what you are doing...

Thanks!
---
*B. R.*
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.