Set `ssl_prefer_server_ciphers` to `off`

h5bp / server-configs-nginx

Nginx HTTP server boilerplate configs

MIT License

11.15k stars 1.52k forks source link

Set `ssl_prefer_server_ciphers` to `off` #328

Closed avj closed 1 year ago

avj commented 1 year ago

Per discussion here: https://github.com/h5bp/server-configs-nginx/issues/325

emansom commented 1 year ago

@LeoColomb Can this be reverted? This will introduce downgrade attack potential.

There's an alternative and better way to configure OpenSSL to read the client's intent on using hardware accelerated paths, it needs some system-wide configuration (via NGINX's ssl_conf_command directive) of the OpenSSL library used by NGINX.

I'll dig through my systems today to find the specific configuration tweaks needed.

quantumpacket commented 1 year ago

This comment explains the reasoning for turning it to "off" for modern browsers. https://github.com/mozilla/server-side-tls/issues/260#issuecomment-507392266

LeoColomb commented 1 year ago

Thanks for your comments. @emansom This PR is also the outcome of #325 discussion. Don't hesitate to continue the discussion there 🙂