Hi Lukas, On Wed, May 03, 2017 at 08:30:07PM +0200, Lukas Tribus wrote: > Hello, > > > Am 03.05.2017 um 20:05 schrieb Aleksandar Lazic: > > Am Wed, 3 May 2017 16:23:52 +0000 > > schrieb Lukas Tribus <[email protected]>: > > > > > Currently we unconditionally set SSL_OP_CIPHER_SERVER_PREFERENCE [1], > > > which may not always be a good thing. > > I fully agree with you. > > One of my customer use nginx and I have activated the > > ssl_prefer_server_ciphers. This was not that good just because a lot of > > the clients wasn't able to connect. > > Well, you hit client bug here, triggered by a high priority cipher. Like > Java[6-7] with > DHE and >1024 bit DH group or the Safari @OSX 10.8 ECDHE-ECDSA bug - you can > still work around those bugs with the correct cipher suite configuration > (without > disabling ssl_prefer_server_ciphers). > > SSL_OP_CIPHER_SERVER_PREFERENCE is not evil. But yeah - we do want to have > maximal flexibility in every case.
Does this mean that this should also be backported to 1.7 in your opinion ? Maybe even older versions ? I'm just waiting for Emeric's approval to merge it. Thanks, Willy
