Mercurial > hg > nginx-site
changeset 56:b706454b2ab8
- About RC4-SHA
| author | Andrey Alexeev <andrew@nginx.com> |
|---|---|
| date | Mon, 03 Oct 2011 15:54:53 +0000 |
| parents | 8213f3f1c93d |
| children | 12f1de4539b4 |
| files | xml/en/docs/http/configuring_https_servers.xml |
| diffstat | 1 files changed, 15 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/xml/en/docs/http/configuring_https_servers.xml Mon Oct 03 12:07:55 2011 +0000 +++ b/xml/en/docs/http/configuring_https_servers.xml Mon Oct 03 15:54:53 2011 +0000 @@ -44,13 +44,25 @@ <para> The directives <dirname>ssl_protocols</dirname> and -<dirname>ssl_ciphers</dirname> may be used to limit connections -to strong SSL protocol versions and ciphers. +<dirname>ssl_ciphers</dirname> can be used to limit connections +to include only the strong versions and ciphers of SSL/TLS. Since version 1.0.5, nginx uses <dirname>ssl_protocols SSLv3 TLSv1</dirname> and <dirname>ssl_ciphers HIGH:!aNULL:!MD5</dirname> by default, -so they should only be set for earlier nginx versions. +so configuring them explicitly only makes sense for the earlier nginx versions. </para> +<para> +CBC-mode ciphers might be vulnerable to a number of attacks and to +the BEAST attack in particular (see +<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389">CVE-2011-3389</a>). +Configuration of ciphers can be adjusted to prefer RC4-SHA as the following: +</para> + +<programlisting> + ssl_ciphers RC4:HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; +</programlisting> + </section>