Changes between Version 2 and Version 3 of Ticket #1529, comment 14


Ignore:
Timestamp:
12/30/18 00:34:15 (5 years ago)
Author:
Laurence 'GreenReaper' Parry

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #1529, comment 14

    v2 v3  
    11While I sympathize with the desire not to implement an interface which may be superseded, this should be documented for [http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers ssl_ciphers] (and the helpful workaround above noted) so that people don't tear their hair out wondering why their cipher list - accepted without complaint - doesn't work. It currently implies that the output of `openssl ciphers` can be used in full, which now includes `TLS_*` suites.
    22
    3 In my case I wished to prioritize 128-bit AES over 256-bit AES and CHACHA20, so I used:
    4 `Ciphersuites = TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256`
     3I wished to prioritize 128-bit AES over 256-bit AES and CHACHA20 (except on mobile), so I used:
     4{{{
     5 Ciphersuites = TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256
     6 Options = ServerPreference,PrioritizeChaCha
     7}}}
    58
    69It might be useful to set a nginx-specific OpenSSL config file (this was useful for ensuring that TLS 1.2 with compression was used for PostgreSQL, not TLS 1.3), but that is beyond the scope of this ticket.