Forum List Message List New Topic Print View

nano

January 09, 2014 04:44AM

On 9/01/2014 8:29 PM, Pekka.Panula@sofor.fi wrote:
> Hi
>
> My current values in my nginx configuration for ssl_protocols/ciphers
> what i use is this:
>
> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
> ssl_ciphers RC4:HIGH:!aNULL:!MD5;
> ssl_prefer_server_ciphers on;
>
> What are todays recommendations for ssl_ciphers option for supporting
> all current OSes and browsers, even Windows XP users with IE?
> Can i disable RC4?
>
> My nginx is compiled with OpenSSL v1.0.1.
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>

The current consensus suggests that mitigating RC4 vulnerabilities is
more important than BEAST attack concerns, which are all but mitigated
client-side. If you want to deploy protocols to cater for a wide range
of browsers (including XP IE) implement the following (that will
fall-back to RC4 as a last resort):

ssl_ciphers EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4
EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS
+RC4 RC4

Otherwise, exclude RC4 with the following:

ssl_ciphers EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4
EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4

--
syn.bsdbox.co

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
SSL ciphers, disable or not to disable RC4?	Anonymous User	January 09, 2014 04:30AM
Re: SSL ciphers, disable or not to disable RC4?	nano	January 09, 2014 04:44AM
Re: SSL ciphers, disable or not to disable RC4?	Jeffrey Walton	January 09, 2014 04:54AM
RE: SSL ciphers, disable or not to disable RC4?	Lukas Tribus	January 09, 2014 04:54AM
Re: SSL ciphers, disable or not to disable RC4?	Jeffrey Walton	January 09, 2014 05:06AM
PHP below server root not served	nano	January 09, 2014 05:26AM
Re: PHP below server root not served	Richard Stanway	January 09, 2014 05:30AM
Re: PHP below server root not served	nano	January 09, 2014 05:34AM
Re: PHP below server root not served	Francis Daly	January 09, 2014 05:56AM
Re: PHP below server root not served	nano	January 09, 2014 06:46AM
Re: PHP below server root not served	nano	January 09, 2014 07:42AM
Re: PHP below server root not served	B.R.	January 09, 2014 08:00AM
Re: PHP below server root not served	nano	January 09, 2014 08:52AM
Re: PHP below server root not served	Francis Daly	January 09, 2014 04:00PM
Re: PHP below server root not served	nano	January 09, 2014 10:08PM
Re: PHP below server root not served	Francis Daly	January 10, 2014 04:38AM
Re: PHP below server root not served	nano	January 10, 2014 06:40AM
Re: PHP below server root not served	Francis Daly	January 10, 2014 10:36AM
Re: PHP below server root not served	nano	January 12, 2014 05:28AM
Re: PHP below server root not served	Francis Daly	January 14, 2014 05:14PM
Re: PHP below server root not served	Valentin V. Bartenev	January 15, 2014 02:20PM
Re: PHP below server root not served	nano	January 10, 2014 04:38AM
Re: PHP below server root not served	nano	January 09, 2014 09:44AM
Re: PHP below server root not served	Jim Ohlstein	January 09, 2014 12:14PM
Re: PHP below server root not served	nano	January 09, 2014 12:30PM
Re: SSL ciphers, disable or not to disable RC4?	Axel	January 12, 2014 12:44PM
Re: SSL ciphers, disable or not to disable RC4?	Darren Pilgrim	January 12, 2014 02:10PM
Re: SSL ciphers, disable or not to disable RC4?	Axel	January 13, 2014 04:02AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 163

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018