Welcome! Log In Create A New Profile

Re: Default SSL protocols

Forum List Message List New Topic Print View

mike

October 06, 2009 03:38PM

Registered: 15 years ago
Posts: 833

according to mcafee secure their recommended setting is this:

ssl_ciphers ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP;

i also throw in this:
ssl_protocols SSLv3 TLSv1;

this passes mcafee secure's validation which is viewed highly
respectable by even the most paranoid enterprises.

On Tue, Oct 6, 2009 at 12:09 PM, Calomel Org <faraday@calomel.org> wrote:
> I would vote to only allow the highest and most secure ciphers
> supported by the majority of modern search bots and browsers.
>
> ssl on;
> ssl_ciphers HIGH:!ADH:!MD5;
> ssl_prefer_server_ciphers on;
> ssl_protocols SSLv3;
>
> Do not allow export controlled, anonymous or MD5 ciphers due to their
> weak encryption. Allow only AES 128 or 256 bit and 3DES 168 bit. 3DES
> is necessary to allow most modern search bots like Google, Yahoo and
> Bing access to the site if needed.
>
> user@machine: openssl ciphers -ssl3 -v 'HIGH:!ADH:!MD5:@STRENGTH'
> DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
> DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
> AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
> EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
> EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
> DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
> DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
> DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
> AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
>
>
> My reasoning and detailed explanations can be found at:
>
> Guide to Webserver SSL Certificates
> https://calomel.org/ssl_certs.html
>
> --
> Calomel @ https://calomel.org
> Open Source Research and Reference
>
>
> On Sun, Oct 04, 2009 at 03:53:11PM -0400, Igor Sysoev wrote:
>>On Sat, Oct 03, 2009 at 11:07:44PM +0100, Matt Goodall wrote:
>>
>>> I just noticed that the SSL module enables SSLv2 by default,
>>> "ssl_protocols SSLv2 SSLv3 TLSv1 " (see
>>> http://wiki.nginx.org/NginxHttpSslModule#ssl_protocols).
>>>
>>> Given that SSLv2 is generally considered "weak" these days
>>> (http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Security) and is
>>> disabled in most modern browsers would it make sense to change the
>>> default to "ssl_protocols SSLv3 TLSv1"?
>>
>>I thought to disable it by default some time ago.
>>I will disable it in next 0.8.18 version.
>>
>>
>>--
>>Igor Sysoev
>>http://sysoev.ru/en/
>
>

Reply Quote

RSS

Subject	Author	Posted
Default SSL protocols	Matt Goodall	October 03, 2009 06:12PM
Re: Default SSL protocols	Ray	October 04, 2009 07:34AM
Re: Default SSL protocols	Igor Sysoev	October 04, 2009 03:42PM
Re: Default SSL protocols	Calomel Org	October 06, 2009 03:28PM
Re: Default SSL protocols	mike	October 06, 2009 03:38PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 114

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018