id,summary,reporter,owner,description,type,status,priority,milestone,component,version,resolution,keywords,cc,uname,nginx_version 719,Nginx should maintain a better default cipher suite,Alex Gaynor,,"Nginx's current default is: `""HIGH:!aNULL:!MD5""` The problem with this is that the way OpenSSL defines ""HIGH"" gives a list of cipher suites in a poor order, resulting in suboptimal cipher suites for many common browsers. The result of this is that many individual pass around their own versions of the `ssl_ciphers` directive. As things change, these have the potential to go out of date I propose giving nginx a slightly more explicit cipher suite list for nginx: `ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS` The string is from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/, which describes the full methodology, but in general: * ECDH is prefered * AESGCM suites are prefered * 3DES is used as a fallback for really old browsers A simple patch to implement this is attached",enhancement,closed,minor,,nginx-core,1.7.x,wontfix,,,,n/a