Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nginx cipher list vulnerable to BEAST? #12

Open
doherty opened this issue Feb 16, 2013 · 2 comments
Open

nginx cipher list vulnerable to BEAST? #12

doherty opened this issue Feb 16, 2013 · 2 comments

Comments

@doherty
Copy link

doherty commented Feb 16, 2013

When I used the ciphers listed in the nginx example, and ran the Qualys SSL server test, I was informed that it was vulnerable to BEAST.

I've used ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH instead.
@ioerror
Copy link
Owner

ioerror commented Feb 17, 2013

Submit a pull request with your diff?

It would also be useful to see two server reports - one for each config.

Ultimately, most browsers have implemented a fix for BEAST - so short of GCM, I think only using RC4 is going to be the sure fire thing to stop those kinds of reports. I'm not actually sure I trust RC4 over AES but it sure has been a bad year for CBC!

@doherty
Copy link
Author

doherty commented Feb 21, 2013

See #13.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ioerror @doherty