Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#464 closed defect (invalid)

ngx_http_ssl_module and ssl_ciphers (use of RC4)

Reported by: Jeffrey Walton Owned by:
Priority: major Milestone:
Component: nginx-core Version:
Keywords: openssl rc4 ssl tls Cc:
uname -a: $ uname -a
Darwin riemann.home.pvt 12.5.0 Darwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64 x86_64
nginx -V: $ objs/nginx -V
nginx version: nginx/1.4.4
configure arguments:

Description

From http://nginx.org/en/docs/http/ngx_http_ssl_module.html:

Specifies the enabled ciphers. The ciphers are specified in the format understood
by the OpenSSL library, for example:

    ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

The full list can be viewed using the “openssl ciphers” command.

RC4 is not really suitable for use in SSL/TLS. From AlFardan, Bernstein (et al), "On the Security of RC4 in TLS and WPA":

    ... While the RC4 algorithm is known to have a
    variety of cryptographic weaknesses (see [26]
    for an excellent survey), it has not been previously
    explored how these weaknesses can be exploited
    in the context of TLS. Here we show that new and
    recently discovered biases in the RC4 keystream
    do create serious vulnerabilities in TLS when using
    RC4 as its encryption algorithm.

Change History (2)

comment:1 by Maxim Dounin, 7 years ago

Resolution: invalid
Status: newclosed

Documentation doesn't try to suggest any settings, it just shows how to use the directive.

comment:2 by Jeffrey Walton, 7 years ago

Documentation doesn't try to suggest any settings

That's not how it works in real life.

Note: See TracTickets for help on using tickets.