I just noticed that the SSL module enables SSLv2 by default,
"ssl_protocols SSLv2 SSLv3 TLSv1 " (see
http://wiki.nginx.org/NginxHttpSslModule#ssl_protocols).
Given that SSLv2 is generally considered "weak" these days
(http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Security) and is
disabled in most modern browsers would it make sense to change the
default to "ssl_protocols SSLv3 TLSv1"?