Skip navigation

Just a quick post as I noticed that my nginx configuration was vulnerable to the BEAST attack thanks to the #spiffy SSL Certificate Tester from Qualys (I scored an “A”, btw :-).

The nginx docs show how to do this, now, and it’s pretty simple (very similar to the Apache configuration, in fact):

  1. ssl_ciphers RC4:HIGH:!aNULL:!MD5;
  2. ssl_prefer_server_ciphers on;

Set it to prefer RC4 ciphers and — BOOM! — you’re done.

Like many other system admins, I should have done this a long time ago. And, like many other system admins, I’ve got many other things going on. I let this slip (even though I’ve kept up on nginx patches) and I shouldn’t have. Thankfully, this was a low risk item as the site doesn’t perform truly critical transactions.

I definitely encourage folks to use the SSL Labs tool to help ensure you’ve got your site’s configuration up to snuff.

Also, make sure to follow @ivanristic on Twitter if you care at all about web app security.


  1. RC4 is insecure, do that is not reliable anymore.

  2. This is bad advice now – RC4 is considered insecure.

One Trackback/Pingback

  1. […] this week, I mentioned the most excellent Qualys SSL Certificate Tester and thought it would be interesting to try it on […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.