The nginx docs show how to do this, now, and it’s pretty simple (very similar to the Apache configuration, in fact):
ssl_ciphers RC4:HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on;
Set it to prefer RC4 ciphers and — BOOM! — you’re done.
Like many other system admins, I should have done this a long time ago. And, like many other system admins, I’ve got many other things going on. I let this slip (even though I’ve kept up on
nginx patches) and I shouldn’t have. Thankfully, this was a low risk item as the site doesn’t perform truly critical transactions.
I definitely encourage folks to use the SSL Labs tool to help ensure you’ve got your site’s configuration up to snuff.
Also, make sure to follow @ivanristic on Twitter if you care at all about web app security.