This question is about setting the correct value of ssl_prefer_server_ciphers
while configuring nginx.
According to a fairly typical config suggested by Mozilla, the value should be off
(source: https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.7&config=intermediate&openssl-version=1.0.1g).
According to nginx's own documentation, one should always set this to on
: https://www.nginx.com/blog/nginx-https-101-ssl-basics-getting-started/ (search the document for ssl_prefer_server_ciphers
).
I'm stumped as to which advice to follow. Both sources are pretty solid.
Can some industry experts chime in regarding when one should turn this off
, and when on
? Would also love to know the rationale.
Best Answer
Ok, so there are three categories for choosing this parameter on or off.
Only situation when you need to put off this parameter is modern configuration where you don't need any backward compatibility, in such cases client will not be able to connect with old ssl/tls except tlsv1.3.