Welcome! Log In Create A New Profile

Advanced

[PATCH] Disable Anonymous ECDH ciphersuites by default

Rob Stradling
June 14, 2011 05:02AM
Hi. NGX_DEFAULT_CIPHERS specifies !ADH to exclude the Anonymous DH
ciphersuites. With OpenSSL-0.x, this has the effect of disabling all
ciphersuites that offer no authentication. However, OpenSSL-1.x adds support
for Anonymous ECDH ciphersuites, and these are not disabled by !ADH.

!aNULL is the appropriate cipher string for disabling all anonymous
ciphersuites. [1] observes that anonymous ciphersuites 'are vulnerable to a
"man in the middle'' attack and so their use is normally discouraged.'

Trivial patch attached.

Apache httpd just committed a patch for the same issue [2].

[1] http://www.openssl.org/docs/apps/ciphers.html
[2] https://issues.apache.org/bugzilla/show_bug.cgi?id=51363

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] Disable Anonymous ECDH ciphersuites by default

Rob Stradling 4883 June 14, 2011 05:02AM

Re: [PATCH] Disable Anonymous ECDH ciphersuites by default

António P. P. Almeida 975 June 14, 2011 08:06AM

Re: [PATCH] Disable Anonymous ECDH ciphersuites by default

Rob Stradling 850 June 14, 2011 08:20AM

Re: [PATCH] Disable Anonymous ECDH ciphersuites by default

Maxim Dounin 978 June 14, 2011 04:48PM

Re: [PATCH] Disable Anonymous ECDH ciphersuites by default Attachments

António P. P. Almeida 1383 June 17, 2011 02:46PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 117
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready