Mercurial > hg > nginx-site
comparison xml/en/docs/http/configuring_https_servers.xml @ 56:b706454b2ab8
- About RC4-SHA
author | Andrey Alexeev <andrew@nginx.com> |
---|---|
date | Mon, 03 Oct 2011 15:54:53 +0000 |
parents | 9d544687d02c |
children | bd9f103036a0 |
comparison
equal
deleted
inserted
replaced
55:8213f3f1c93d | 56:b706454b2ab8 |
---|---|
42 only the certificate is sent to a client. | 42 only the certificate is sent to a client. |
43 </para> | 43 </para> |
44 | 44 |
45 <para> | 45 <para> |
46 The directives <dirname>ssl_protocols</dirname> and | 46 The directives <dirname>ssl_protocols</dirname> and |
47 <dirname>ssl_ciphers</dirname> may be used to limit connections | 47 <dirname>ssl_ciphers</dirname> can be used to limit connections |
48 to strong SSL protocol versions and ciphers. | 48 to include only the strong versions and ciphers of SSL/TLS. |
49 Since version 1.0.5, nginx uses <dirname>ssl_protocols SSLv3 TLSv1</dirname> | 49 Since version 1.0.5, nginx uses <dirname>ssl_protocols SSLv3 TLSv1</dirname> |
50 and <dirname>ssl_ciphers HIGH:!aNULL:!MD5</dirname> by default, | 50 and <dirname>ssl_ciphers HIGH:!aNULL:!MD5</dirname> by default, |
51 so they should only be set for earlier nginx versions. | 51 so configuring them explicitly only makes sense for the earlier nginx versions. |
52 </para> | 52 </para> |
53 | |
54 <para> | |
55 CBC-mode ciphers might be vulnerable to a number of attacks and to | |
56 the BEAST attack in particular (see | |
57 <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389">CVE-2011-3389</a>). | |
58 Configuration of ciphers can be adjusted to prefer RC4-SHA as the following: | |
59 </para> | |
60 | |
61 <programlisting> | |
62 ssl_ciphers RC4:HIGH:!aNULL:!MD5; | |
63 ssl_prefer_server_ciphers on; | |
64 </programlisting> | |
53 | 65 |
54 </section> | 66 </section> |
55 | 67 |
56 | 68 |
57 <section name="optimization" title="HTTPS server optimization"> | 69 <section name="optimization" title="HTTPS server optimization"> |