Hi Maxim, >> This modifies current behaviour, and only allows to use >> HIGH:!aNULL:!MD5 chipers by default. Are there any specific >> reasons to? >> >> The "!aNULL" looks especially wierd, as we don't check peers >> certificates anyway. > > (...) > > In that case, I'd probably stick with "DEFAULT" (updated patch will > follow)... Just keep in mind that nginx compiled against OpenSSL-1.0.1 > will be sending ClientHello that's 316 bytes in size and will have > issue with broken SSL servers... Whether or not that's something that > nginx should worry about it's another matter, but just to give you > some perspective, last time I checked it was ~0.15% of servers that > didn't like big ClientHello messages.
Forgot to mention - "DEFAULT" is the value OpenSSL uses when you don't specify cipher list yourself (i.e. current behavior) and it's defined as "ALL:!aNULL:!eNULL", which means that "!aNULL" is there already. Best regards, Piotr Sikora _______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
