[Ach] CloudFlare's SSL config for public-facing nginx hosts

Alan Orth alan.orth at gmail.com
Mon May 5 13:51:35 CEST 2014


Hey,

For what it's worth, they seem to be using an OpenSSL patch which only
enables RC4 if the connection is SSLv3 (ie, to combat BEAST).

But yes, it seems pretty likely that we should have stopped using RC4
many years ago:

https://twitter.com/ioerror/status/398059565947699200

Cheers,

Alan

On 05/05/2014 02:36 PM, Aaron Zauner wrote:
>
> Alan Orth wrote:
>> Thought this might be of interest to the list, CloudFlare posted the SSL
>> ciphersuites they use on their public-facing nginx hosts:
>>
>> https://github.com/cloudflare/sslconfig/
>>
>> Notably, they have SSLv3 and RC4 enabled, though they discuss their
>> support for RC4 in an early 2014 blog post here:
>>
>> http://blog.cloudflare.com/killing-rc4
>>
> I've seen it as well and just didn't post it because I think these are
> bad recommendations. They also serve DES-CBC3 and RC4 without PFS. I'm
> pretty certain that there are more unknown attacks on RC4 we do not know
> about yet out there.
>
> Aaron
>

-- 
Alan Orth
alan.orth at gmail.com
http://alaninkenya.org
http://mjanja.co.ke
"I have always wished for my computer to be as easy to use as my telephone; my wish has come true because I can no longer figure out how to use my telephone." -Bjarne Stroustrup, inventor of C++
GPG public key ID: 0x8cb0d0acb5cd81ec209c6cdfbd1a0e09c2f836c0


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140505/24c944d4/attachment.sig>


More information about the Ach mailing list