2013-10-15 Piotr Sikora
has cited Julien Vehent :
>
> ssl_ciphers
> 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDH
On 15/10/13 23:00, Piotr Sikora wrote:
Because someone else might use DSA certificates.
It's ECDSA, not DSA... And I'm yet to see a site that offers ECDSA
instead of RSA certificate.
There are some sites that offer an ECDSA cert where possible, but
fallback to an RSA cert when the client do
Piotr Sikora Wrote:
---
> > ssl_session_timeout 5m;
>
> Not only doesn't it change anything (5m is the default value), but
> it's way too low value to be used.
>
> Few examples from the real world:
>
> Google: 28h
> Facebook : 24h
Hi Julien,
> Afaik, the above dynamically links openssl. Am I wrong?
Yes, you're wrong.
> Are you saying you would rather use non-PFS ciphers than wait an extra 15ms
> to complete a DHE handshake? I wouldn't.
No, I'm saying that since you're compiling against OpenSSL-1.0.1,
you've got ECDHE cip
On 2013-10-15 00:39, Piotr Sikora wrote:
Hi Julien,
I spent some time hacking on my SSL conf recently. Nothing new, but I
figured I'd share it with the group:
https://jve.linuxwall.info/blog/index.php?post/2013/10/12/A-grade-SSL/TLS-with-Nginx-and-StartSSL
Feel free to comment here.
Hi Julien,
> I spent some time hacking on my SSL conf recently. Nothing new, but I
> figured I'd share it with the group:
> https://jve.linuxwall.info/blog/index.php?post/2013/10/12/A-grade-SSL/TLS-with-Nginx-and-StartSSL
>
> Feel free to comment here.
> a few pointers f
Hi Nginx folks,
I spent some time hacking on my SSL conf recently. Nothing new, but I
figured I'd share it with the group:
https://jve.linuxwall.info/blog/index.php?post/2013/10/12/A-grade-SSL/TLS-with-Nginx-and-StartSSL
Feel free to comment here.
Cheers
--
Julien Vehent
