chr4
commented
4 years ago Thanks for your feedback!
As the ticket you're linking describes: The option is only considered secure if all ciphers are considered secure. I'm not so sure here (especially < TLSv1.3). There're ciphers still considered weak, also according to ssl-enum-ciphers and ssllabs.com.
Furthermore, this plugin is not intelligent enough to judge safe usage of potentially unsafe options. So there's no way to know that you've not configured insecure ciphers. The same is true for other options like e.g. gzip. It might be prone to POODLE/CRIME and others, but if you configure your services in a decent way, it's not necesarily an issue.
I think it's a good idea to make people think when using a potentially insecure option, so they are assistent to making a conscious decision. If people google the option and find out that with their config all is well - then that's perfect. But at least they were made aware that the option might potentially be insecure.
Hope this answers the question? Will close this, but feel free to follow up if something remains unclear.
Thanks again!
The plugin marks
ssl_prefer_server_ciphers offas insecure even though Mozilla recommends it nowadays. See: https://github.com/mozilla/server-side-tls/issues/260Thank you very much for this project.