Hello! On Sun, Mar 10, 2013 at 09:48:47PM -0700, Grant wrote:
> It looks like these changes from default are required for SSL session > resumption and to mitigate the BEAST SSL vulnerability: > > ssl_session_cache shared:SSL:10m; > ssl_ciphers RC4:HIGH:!aNULL:!MD5; > ssl_prefer_server_ciphers on; > > Should the defaults be changed to these? The BEAST attack could be mitigated by various means, including switching to TLS 1.1/1.2 (you probably do not want to due to compatibility reasons) and/or fixing it on a client side (which is considered to be right solution and already implemented by all modern browsers). Use of the RC4 cipher is more a workaround than a permanent solution, and hence there are no plans to make it the default. -- Maxim Dounin http://nginx.org/en/donation.html _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
