Thanks for the quick response again Maxim. You make some excellent points: 1. Best practices for cipher lists change over time. 2. ssl_prefer_server_ciphers is off by default
For now: how about: - We use up to date values for NGX_DEFAULT_CIPHERS - We turn on ssl_prefer_server_ciphers by default - having the server control the negotiation is recommended in every configuration guide - We add an up to date ssl_ciphers example to the default config file - Above the example, we add a comment with the point you've made above: # Security note: best practices for ssl_ciphers frequently change over time. # Check https://mozilla.github.io/server-side-tls/ssl-config-generator for more recent settings # ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE- RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256- SHA384:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256: HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA This would resolve the SSL Labs and Chrome warnings that currently show up with nginx, but make sure people configuring nginx are aware that they need to keep up to date, and shows them where they can get a more recent config. If the user is lazy and doesn't follow ssl happenings, they're still better out of the box. And actually giving them a URL to check might make them be a little more security conscious. How does that sound?
_______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
