Using 256 bit AES instead of 128 bit for TLS #2149
Replies: 3 comments
-
Hi. If your are using the default Mozilla-Intermediate or the Mozilla-Modern You should be able to configure an overriding SSL policy using the existing per-VIRTUAL_HOST mechanism. |
Beta Was this translation helpful? Give feedback.
-
Hi! Thanks for the reply. I tried my best to based on the information you provided but I couldn't get it to work. I "mounted" the /etc/nginx/vhost.d/ folder into a docker volume and made a file called "default" in it. Then I placed this in the file
Nginx failed when I tried placing that in what is called a "server directive", so clearly I'm actually interacting with the server, just not correctly Please keep in mind that I've never used Nginx before today and never used Docker before yesterday so I expect I'm making a dumb mistake somewhere that I wouldn't if I was familiar with both/either. |
Beta Was this translation helpful? Give feedback.
-
Hi @Grant12311 The ciphers suites actually have more complexe names, here are those for the default SSL Policy:
If you change your ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:CDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384'; Nginx should only accept cipher suites that use Please note however that AES128 for bulk encryption is considered secure and that you won't really gain anything by forcing use of AES256:
https://www.kryptall.com/index.php/information/how-safe-is-aes-encryption My advice would be to keep the default configuration instead of restricting the set of cipher suites (for very hypothetical gains) and risking incompatibility with some clients.
That's what discussions are for 👍 |
Beta Was this translation helpful? Give feedback.
-
Hello. I was checking the TLS details of the pages I'm now hosting behind this proxy and I noticed that their security has dropped somewhat from before. This proxy seems to use 128 bit AES instead of 256 bit like Nextcloud and at least some of my other services used on their own. I'd like to fix that but I can't seem to find a way to do it. I'm assuming Nginx supports 256 bit, though I'll admit I'm not sure and couldn't manage to find a straight answer online. Any help is greatly appreciated.
Beta Was this translation helpful? Give feedback.
All reactions