Am 02.12.2014 um 06:44 schrieb Will Yardley:
On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote:
On 12/1/2014 4:43 PM, Will Yardley wrote:
Can you use both ssl_protocols *and* ssl_cipher_list in the same config (in a way that's sane)?
Is there a way to exclude these ciphers, while still keeping my config easy to parse and avoiding duplicative or deprecated configs?
Yes to both. If you need to support older clients:
ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH ssl_dh_parameters_length = 2048 ssl_parameters_regenerate = 0 ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2
But why does ssl_protocols behave differently depending on if $ssl_cipher_list is defined? Shouldn't !SSLv2 and !SSLv3 be sufficient?
It seems that if ssl_cipher_list is defined, ssl_protocols = !SSLv2 !SSLv3
results in TLS1.2 being the only one active, but if it is defined, 1.0, 1.1, and 1.2 are all active?
ssl_protocols = !SSLv2 !SSLv3
and you are fine, aynthing else is nonsense because when TLSv1.3 will be released you go to each and every server to add it to the config? likely not!