# HG changeset patch
# User Andrey Alexeev <andrew@nginx.com>
# Date 1317657293 0
# Node ID b706454b2ab8507ccb2ecd38c7fecb8d2cde8076
# Parent  8213f3f1c93d2de004fdab8490cead5b0f1e4c09
- About RC4-SHA

diff -r 8213f3f1c93d -r b706454b2ab8 xml/en/docs/http/configuring_https_servers.xml
--- a/xml/en/docs/http/configuring_https_servers.xml	Mon Oct 03 12:07:55 2011 +0000
+++ b/xml/en/docs/http/configuring_https_servers.xml	Mon Oct 03 15:54:53 2011 +0000
@@ -44,13 +44,25 @@
 
 <para>
 The directives <dirname>ssl_protocols</dirname> and
-<dirname>ssl_ciphers</dirname> may be used to limit connections
-to strong SSL protocol versions and ciphers.
+<dirname>ssl_ciphers</dirname> can be used to limit connections
+to include only the strong versions and ciphers of SSL/TLS.
 Since version 1.0.5, nginx uses <dirname>ssl_protocols SSLv3 TLSv1</dirname>
 and <dirname>ssl_ciphers HIGH:!aNULL:!MD5</dirname> by default,
-so they should only be set for earlier nginx versions.
+so configuring them explicitly only makes sense for the earlier nginx versions.
 </para>
 
+<para>
+CBC-mode ciphers might be vulnerable to a number of attacks and to
+the BEAST attack in particular (see 
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389">CVE-2011-3389</a>).
+Configuration of ciphers can be adjusted to prefer RC4-SHA as the following:
+</para>
+
+<programlisting>
+    ssl_ciphers RC4:HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+</programlisting>
+
 </section>