Re: [PATCH] update default ssl_ciphers value

Maxim I apologise if I've offended you or not understood something you wrote. My methodology was as follows: - Install nginx - Enable ssl - Run the SSL Labs scan and a current version of Chrome - Provide a patch that fixes the errors reported by those tools Do you believe the provided SSL Lab

Re: [PATCH] update default ssl_ciphers value

Do not specifiy cipher suites, one by one, by name. That's dangerous. OpenSSL knows groups! Examples for groups: - HIGH - TLSv1.2 … and matching: - HIGH+kEECDH - HIGH+kEECDH:HIGH+kEDH:-3DES Examining their implementation, and ordering them is the task of security engineers and/or best delegated t

Re: [PATCH] update default ssl_ciphers value

> Examining their implementation, and ordering them is the task of security engineers Indeed. The ciphersuite ordering is directly from the Mozilla Server Side TLS project. https://mozilla.github.io/server-side-tls/ssl-config-generator/ My understanding is OpenSSLs inbuilt ciphersuite groups (per

Making external http calls from nginx module

Hey folks, Can someone point a code snippet on how I could make a http call to an external service within my module. I believe I should be able to reuse some of the code in ngx_proxy but unclear about the pitfalls. Muchos Gracias, Sunil Mallya @sunilmallya

Re: Making external http calls from nginx module

Hi, You can try to use `ngx_http_subrequest` (don't know how good it works for not an nginx location (or named location)). For example see some module used that (ex.: https://github.com/sebres/nginx/blob/hg-mirror/src/http/modules/ngx_http_auth_request_module.c#L189). You can also try to u

Re: [PATCH] update default ssl_ciphers value

This discussion has been done before, elsewhere, and the consensus was to stick with the defaults (for Debian and Ubuntu nginx). Effectively though, I think the point was missed by you, Mike. So let me put in my two cents. If you merely want the summary of all the text below, go to the bottom of

Re: [PATCH] update default ssl_ciphers value

On Tue, Aug 4, 2015 at 4:21 PM, Thomas Ward wrote: > This discussion has been done before, elsewhere, and the consensus was to > stick with the defaults (for Debian and Ubuntu nginx). > Understood. And I appreciate that the same issue coming up repeatedly is annoying. The fastest way to fix it i

Re: [PATCH] update default ssl_ciphers value

You've failed to get my points, apparently. Reminds me of me three years ago before getting hacked into sobered me up. On 08/04/2015 02:53 PM, Mike MacCana wrote: > On Tue, Aug 4, 2015 at 4:21 PM, Thomas Ward > wrote: > > This discussion has been done before, els

Re: [PATCH] update default ssl_ciphers value

I mentioned in my last email message that I was investigating discrepancies between your results and mine: I've since confirmed I'd used ssl_dhparam from Mozilla's preferred config and not included this in the actual patch. I apologise Thomas. Thanks for including your own handshake results as it'

Re: [PATCH] update default ssl_ciphers value

> On Aug 4, 2015, at 19:11, Mike MacCana wrote: ... > > Would nginx accept a patch to include dh_params in the example config? > > ___ > nginx-devel mailing list > nginx-devel@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel I have

[nginx] Workaround for "configuration file test failed" under Op...

details: http://hg.nginx.org/nginx/rev/3096ae76ba47 branches: changeset: 6218:3096ae76ba47 user: Gena Makhomed date: Thu Jul 23 14:00:03 2015 -0400 description: Workaround for "configuration file test failed" under OpenVZ. If nginx was used under OpenVZ and a container with nginx wa

Re: [PATCH] Workaround for "configuration file test failed" under OpenVZ

Hello! On Mon, Aug 03, 2015 at 12:56:20PM +0300, Gena Makhomed wrote: > On 03.08.2015 12:26, Maxim Dounin wrote: > > >Here is the patch with slightly updated commit log and a comment > >added to the code. Please take a look if it looks fine to you. > > Yes, updated version of patch is more cle