Suggested improvement to ssl ciphers


#1

Using the default list of ciphers EE implemented in the /etc/nginx/nginx.conf file, I was unable to utilise HTTP/2 (which is also on by default in EE), as Chrome would spit out the ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY error.

Running an SSL test, I was only getting a B rating, with issues caused by blacklisted ciphers being used.

I updated the cipher list to what I normally use (on servers I set up myself, as opposed to using EE), and the rating is now the expected A+, and the HTTP/2 related SPDY error was resolved. I would suggest using the following for the default list of ciphers in EE, or at the very least ensuring it has no blacklisted ciphers in it:

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';


#2

thank you very much for this post this just solved 2 hours wasted tryin to understand ■■■ is goin on


#3

Hello,

I have already opened a pull request to fix this issue and to remove old nginx ciphers suite, it should be merged soon :