Am 29.08.2013 um 21:44 schrieb Arnt Gulbrandsen <a...@gulbrandsen.priv.no>:
>> >> While we are talking about NSA, are you considering implementing >> Diffie–Hellman key exchange? > > I would happily add that. Right now the server uses the openssl default, > more or less: > > SSL_CTX_set_cipher_list( ctx, "HIGH:MEDIUM:!LOW:!EXPORT" ); > > Do you know how to set a suitable cipher list to prefer cipher suites > with PFS? Google found http://stackoverflow.com/questions/17308690, but > the SSLCIpherSuite lists on that page look a little too complex for my > taste. Comments? In my nginx.conf, I have ssl_ciphers HIGH:!aNULL:!MD5; which produces PFS. Axel --- PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius