Last active
December 19, 2015 05:49
-
-
Save kyledrake/5906731 to your computer and use it in GitHub Desktop.
Current SSL Cipher config for NeoCities, pulled from http://blog.cloudflare.com/new-ssl-vulnerabilities-cloudflare-users-prot
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ssl_ciphers ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
So it's pretty good as it is. You may be able to improve speeds though, with a small change to the cipher order. Also, if you don't have
ssl_prefer_server_ciphers On;set, you should.This change prefers AES-GCM over ECDHE. While it's less secure (no forward secrecy), it should be faster, allowing you to handle more requests with less server resources.
Security conscious clients can disable AES support to bypass and fallback to ECDHE.
Note: I'm not completely sure that this will be faster. I would test the configuration. Easy way to do that is to remove one or the other of AES/ECDHE strings (whole string between colons). Check site w/ openssl to confirm which cipher is being used, then run siege tests for performance. Compare results between the two. Whichever one is faster should be at the beginning of the list. If security (and specifically anti-PRISM security) is important to you, leave the order as it is, preferring ECDHE, and don't worry about performance.