Hi. NGX_DEFAULT_CIPHERS specifies !ADH to exclude the Anonymous DH
ciphersuites. With OpenSSL-0.x, this has the effect of disabling all
ciphersuites that offer no authentication. However, OpenSSL-1.x adds support
for Anonymous ECDH ciphersuites, and these are not disabled by !ADH.
!aNULL is the appropriate cipher string for disabling all anonymous
ciphersuites. [1] observes that anonymous ciphersuites 'are vulnerable to a
"man in the middle'' attack and so their use is normally discouraged.'
Trivial patch attached.
Apache httpd just committed a patch for the same issue [2].
[1] http://www.openssl.org/docs/apps/ciphers.html
[2] https://issues.apache.org/bugzilla/show_bug.cgi?id=51363
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://nginx.org/mailman/listinfo/nginx-devel