I would vote to only allow the highest and most secure ciphers
supported by the majority of modern search bots and browsers.

ssl on;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols SSLv3;

Do not allow export controlled, anonymous or MD5 ciphers due to their
weak encryption. Allow only AES 128 or 256 bit and 3DES 168 bit. 3DES
is necessary to allow most modern search bots like Google, Yahoo and
Bing access to the site if needed.

user@machine: openssl ciphers -ssl3 -v 'HIGH:!ADH:!MD5:@STRENGTH'
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1


My reasoning and detailed explanations can be found at:

Guide to Webserver SSL Certificates
https://calomel.org/ssl_certs.html

--
Calomel @ https://calomel.org
Open Source Research and Reference


On Sun, Oct 04, 2009 at 03:53:11PM -0400, Igor Sysoev wrote:
>On Sat, Oct 03, 2009 at 11:07:44PM +0100, Matt Goodall wrote:
>
>> I just noticed that the SSL module enables SSLv2 by default,
>> "ssl_protocols SSLv2 SSLv3 TLSv1 " (see
>> http://wiki.nginx.org/NginxHttpSslModule#ssl_protocols).
>>
>> Given that SSLv2 is generally considered "weak" these days
>> (http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Security) and is
>> disabled in most modern browsers would it make sense to change the
>> default to "ssl_protocols SSLv3 TLSv1"?
>
>I thought to disable it by default some time ago.
>I will disable it in next 0.8.18 version.
>
>
>--
>Igor Sysoev
>http://sysoev.ru/en/