Mercurial > hg > nginx-site

comparison xml/en/docs/http/configuring_https_servers.xml @ 56:b706454b2ab8

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
- About RC4-SHA
author Andrey Alexeev <andrew@nginx.com>
date Mon, 03 Oct 2011 15:54:53 +0000
parents 9d544687d02c
children bd9f103036a0
comparison
equal deleted inserted replaced
55:8213f3f1c93d 56:b706454b2ab8
42 only the certificate is sent to a client. 42 only the certificate is sent to a client.
43 </para> 43 </para>
44 44
45 <para> 45 <para>
46 The directives <dirname>ssl_protocols</dirname> and 46 The directives <dirname>ssl_protocols</dirname> and
47 <dirname>ssl_ciphers</dirname> may be used to limit connections 47 <dirname>ssl_ciphers</dirname> can be used to limit connections
48 to strong SSL protocol versions and ciphers. 48 to include only the strong versions and ciphers of SSL/TLS.
49 Since version 1.0.5, nginx uses <dirname>ssl_protocols SSLv3 TLSv1</dirname> 49 Since version 1.0.5, nginx uses <dirname>ssl_protocols SSLv3 TLSv1</dirname>
50 and <dirname>ssl_ciphers HIGH:!aNULL:!MD5</dirname> by default, 50 and <dirname>ssl_ciphers HIGH:!aNULL:!MD5</dirname> by default,
51 so they should only be set for earlier nginx versions. 51 so configuring them explicitly only makes sense for the earlier nginx versions.
52 </para> 52 </para>
53
54 <para>
55 CBC-mode ciphers might be vulnerable to a number of attacks and to
56 the BEAST attack in particular (see
57 <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389">CVE-2011-3389</a>).
58 Configuration of ciphers can be adjusted to prefer RC4-SHA as the following:
59 </para>
60
61 <programlisting>
62 ssl_ciphers RC4:HIGH:!aNULL:!MD5;
63 ssl_prefer_server_ciphers on;
64 </programlisting>
53 65
54 </section> 66 </section>
55 67
56 68
57 <section name="optimization" title="HTTPS server optimization"> 69 <section name="optimization" title="HTTPS server optimization">