On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote: > On 12/1/2014 4:43 PM, Will Yardley wrote: > > Can you use both ssl_protocols *and* ssl_cipher_list in the same config > > (in a way that's sane)? > > > Is there a way to exclude these ciphers, while still keeping my config > > easy to parse and avoiding duplicative or deprecated configs? > > Yes to both. If you need to support older clients: > > ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH > ssl_dh_parameters_length = 2048 > ssl_parameters_regenerate = 0 > ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2
But why does ssl_protocols behave differently depending on if $ssl_cipher_list is defined? Shouldn't !SSLv2 and !SSLv3 be sufficient? It seems that if ssl_cipher_list is defined, ssl_protocols = !SSLv2 !SSLv3 results in TLS1.2 being the only one active, but if it is defined, 1.0, 1.1, and 1.2 are all active? w
