Loud and clear. I am no expert at OpenSSL cypher suites. I found that resource <https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy> that might prove useful on their own website. At least, that is a start to understand what you are doing...
Thanks! --- *B. R.* On Mon, Sep 1, 2014 at 8:07 PM, Maxim Dounin <[email protected]> wrote: > Hello! > > On Mon, Sep 01, 2014 at 04:56:00PM +0200, B.R. wrote: > > > Hello, > > > > I filled a (now closed, because erroneous) enhancement ticket: > > http://trac.nginx.org/nginx/ticket/619 > > > > As it appears, the change I noticed in the SSl test did not result from > my > > malformed ciphers list. > > Right about that. > > > > However, what is intriguing is the answer Maxim gave me on the second > part > > of my proposal: the default activation of ssl_prefer_server_ciphers > > < > http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers > > > > . > > > > He saif that this option put to on made sense with a custome list but not > > with the default one. > > > > I confirm that the results of my tests changed. It was no because of the > > ciphers list, but it was due to that other change. > > Thus, the ciphers used by the emulated clients of the test changed > > following the activation of that option, allowing me to pass the 'Forward > > Secrecy' part of the test, resulting in an upgrade of my score from A- > to A. > > > > I jsut checked it again, removing my buggy ciphers list and > (de)activating > > de rprefer' option. > > > > If using that option with the default ciphers list was useless, what had > > that change an impact on the results of my test? > > Switching on or off ssl_prefer_server_ciphers obviously may change > score as reported by SSL Labs, since it can (and likely will) > change ciphers negotiated in some cases. But it's usually not > a good idea to switch it on unless you understand the results and > have a good reason to do so. > > By default, OpenSSL sorts ciphers per symmetric encryption > strength, and prefers ciphers with forward secrecy if strength is > identical. As a result you may get better forward secrecy support > if you'll switch on ssl_prefer_server_ciphers - or not, depending > on actual ciphers supported by clients. E.g., AES256-SHA will be > preferred over ECDHE-RSA-AES128-SHA, which is probably not what > you want. > > Another example: DHE-RSA-AES256-SHA256 will be preferred over > ECDHE-RSA-AES128-SHA256. On the other hand, you probably > don't want DHE to be used at all for performance reasons. > > -- > Maxim Dounin > http://nginx.org/ > > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx >
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
