#464 closed defect (invalid)
ngx_http_ssl_module and ssl_ciphers (use of RC4)
| Reported by: | Jeffrey Walton | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | nginx-core | Version: | |
| Keywords: | openssl rc4 ssl tls | Cc: | |
| uname -a: |
$ uname -a
Darwin riemann.home.pvt 12.5.0 Darwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64 x86_64 |
||
| nginx -V: |
$ objs/nginx -V
nginx version: nginx/1.4.4 configure arguments: |
||
Description
From http://nginx.org/en/docs/http/ngx_http_ssl_module.html:
Specifies the enabled ciphers. The ciphers are specified in the format understood
by the OpenSSL library, for example:
ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
The full list can be viewed using the “openssl ciphers” command.
RC4 is not really suitable for use in SSL/TLS. From AlFardan, Bernstein (et al), "On the Security of RC4 in TLS and WPA":
... While the RC4 algorithm is known to have a
variety of cryptographic weaknesses (see [26]
for an excellent survey), it has not been previously
explored how these weaknesses can be exploited
in the context of TLS. Here we show that new and
recently discovered biases in the RC4 keystream
do create serious vulnerabilities in TLS when using
RC4 as its encryption algorithm.
Change History (2)
comment:1 by , 10 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:2 by , 10 years ago
Documentation doesn't try to suggest any settings
That's not how it works in real life.
Note:
See TracTickets
for help on using tickets.
Documentation doesn't try to suggest any settings, it just shows how to use the directive.