Welcome! Log In Create A New Profile

Advanced

Re: strong ssl ciphers - browsers

Previous Message Next Message
Forum List Message List New Topic Print View
Jim Ohlstein
May 08, 2012 07:24PM
On 5/8/12 6:15 PM, Lukas Tribus wrote:
>
> Hi Hajo,
>
>
> BEAST has nothing todo with weak ciphers. Because the workaround is to prefer RC4 over AES from the server side, you are not excluding any browsers (however, a short check with the oldest supported platform isn't a bad idea either).

My advice to the OP is that if you want to provide secure connections
for your users, you will simply not support browsers that *only* use
insecure ciphers so I believe this is a non-issue. I wouldn't purport to
provide a "secure" connection with an insecure cipher. Let your users
upgrade to a a 21st century browser. Shame on them if they haven't.

>
> I noticed the documentation about the default of the ssl_ciphers keyword isn't up-to-date: !ADH was replaced with !aNULL in 1.0.5 [2]. Can someone update the docs?
>

Somewhat off topic but:

Perhaps it is reasonable to suggest that another change to the defaults
in light of BEAST.

We use OpenSSL 1.01 and support TLS versions 1.0,1.1, and 1.2 and use
the following:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers
ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!DH:!EDH;
ssl_prefer_server_ciphers on;

Using latest Opera of IE browsers TLS v1.2 is used along with one of the
first two ciphers which I believe are not available in SSL v3.0 or TLS
v1.0. Since TLS v1.2 is not vulnerable to BEAST those connections should
be "secure".

In browsers like Firefox and Chrome (and presumably Safari, but I don't
know how to tell), TLS v1.0 is used and an RC4 cipher is selected. This
again provides protection against beast.


While this approach won't work for users without a recent OpenSSL
release, the following might work for earlier versions as "more secure"
default settings:

ssl_ciphers RC4:HIGH:!MD5:!aNULL:!DH:!EDH;
ssl_prefer_server_ciphers on;

>
>
> [1] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers
>
> [2] http://forum.nginx.org/read.php?29,206670,207923

--
Jim Ohlstein

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

strong ssl ciphers - browsers

HajoLOcke May 08, 2012 09:36AM

RE: strong ssl ciphers - browsers

Lukas Tribus May 08, 2012 06:16PM

Re: strong ssl ciphers - browsers

Jim Ohlstein May 08, 2012 07:24PM

RE: strong ssl ciphers - browsers

Cliff Wells May 11, 2012 12:10PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 312
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready