Welcome! Log In Create A New Profile

Advanced

Re: SSL default changes?

Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
March 12, 2013 05:50AM
Hello!

On Mon, Mar 11, 2013 at 12:37:37PM -0700, Grant wrote:

> >> It looks like these changes from default are required for SSL session
> >> resumption and to mitigate the BEAST SSL vulnerability:
> >>
> >> ssl_session_cache shared:SSL:10m;
> >> ssl_ciphers RC4:HIGH:!aNULL:!MD5;
> >> ssl_prefer_server_ciphers on;
> >>
> >> Should the defaults be changed to these?
> >
> > The BEAST attack could be mitigated by various means, including
> > switching to TLS 1.1/1.2 (you probably do not want to due to
> > compatibility reasons) and/or fixing it on a client side (which is
> > considered to be right solution and already implemented by all
> > modern browsers).
> >
> > Use of the RC4 cipher is more a workaround than a permanent
> > solution, and hence there are no plans to make it the default.
>
> OK, why not enable SSL session resumption by default?
>
> ssl_session_cache shared:SSL:10m;

E.g. because it won't work on some platforms.

--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

SSL default changes?

Grant March 11, 2013 12:50AM

Re: SSL default changes?

Maxim Dounin March 11, 2013 06:54AM

Re: SSL default changes?

Grant March 11, 2013 03:38PM

Re: SSL default changes?

Maxim Dounin March 12, 2013 05:50AM

Re: SSL default changes?

Grant March 12, 2013 03:00PM

Re: SSL default changes?

Maxim Dounin March 12, 2013 07:02PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 157
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready