Changes between Version 2 and Version 3 of Ticket #1529, comment 14
- Timestamp:
- 12/30/18 00:34:15 (6 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #1529, comment 14
v2 v3 1 1 While I sympathize with the desire not to implement an interface which may be superseded, this should be documented for [http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers ssl_ciphers] (and the helpful workaround above noted) so that people don't tear their hair out wondering why their cipher list - accepted without complaint - doesn't work. It currently implies that the output of `openssl ciphers` can be used in full, which now includes `TLS_*` suites. 2 2 3 In my case I wished to prioritize 128-bit AES over 256-bit AES and CHACHA20, so I used: 4 `Ciphersuites = TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256` 3 I wished to prioritize 128-bit AES over 256-bit AES and CHACHA20 (except on mobile), so I used: 4 {{{ 5 Ciphersuites = TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256 6 Options = ServerPreference,PrioritizeChaCha 7 }}} 5 8 6 9 It might be useful to set a nginx-specific OpenSSL config file (this was useful for ensuring that TLS 1.2 with compression was used for PostgreSQL, not TLS 1.3), but that is beyond the scope of this ticket.
