Setting ssl_prefer_server_ciphers directive in nginx config

nginx ssl

This question is about setting the correct value of ssl_prefer_server_ciphers while configuring nginx.

According to a fairly typical config suggested by Mozilla, the value should be off (source: https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.7&config=intermediate&openssl-version=1.0.1g).

According to nginx's own documentation, one should always set this to on: https://www.nginx.com/blog/nginx-https-101-ssl-basics-getting-started/ (search the document for ssl_prefer_server_ciphers).

I'm stumped as to which advice to follow. Both sources are pretty solid.

Can some industry experts chime in regarding when one should turn this off, and when on? Would also love to know the rationale.


Ok, so there are three categories for choosing this parameter on or off.

**Modern** : Services with clients that support TLS 1.3 and don't need backward compatibility
**Intermediate** : General-purpose servers with a variety of clients, recommended for almost all systems
**Old** : Compatible with a number of very old clients, and should be used only as a last resort

Only situation when you need to put off this parameter is modern configuration where you don't need any backward compatibility, in such cases client will not be able to connect with old ssl/tls except tlsv1.3.


When ssl_prefer_server_ciphers is set to on, the web server owner can control which ciphers are available.

The reason why this control was preferred is old and insecure ciphers that were available in SSL, and TLS v1.0 and TLS v1.1.

When the server supports old TLS versions and ssl_prefer_server_ciphers is off, an adversary can interfere with the handshake and force the connection to use weak ciphers, therefore allowing decrypting of the connection.

The weak ciphersuites have been deprecated in TLS v1.2 and v1.3, which removes the need for server to specify preferred ciphers.

The preferred setting in modern setups is ssl_prefer_server_ciphers off, because then the client device can choose his preferred encryption method based on the hardware capabilities of the client device.

For example, if the mobile device does not have AES acceleration, it can choose to use ChaCha cipher for better performance.

Related

How can I verify that a SQLite db3 file is valid/consistent
Google Chrome: passthrough Windows authentication
How can I install Apache with a specific version?
Open a new Safari window in the current Space from Terminal with multiple tabs (URLs)
After Upgrade to Mountain Lion I get blurry fonts
Can Applescript be used to automate a screen recording session on OS X?
Testing a MacBook Pro's RAM upgrade
How can I apply tags in Mavericks recursively?
How to create a VPN connection via terminal?
Siri's voice on macOS Sierra is not natural
How to change PATH environment variable to OS X 10.8 Mountain Lion that will be visible to GUI applications? [duplicate]
Apache2 (Httpd) not working after update to High Sierra