use !aNULL to disable all anonymous cipher suites

patch by Rob Stradling

diff --git a/conf/nginx.conf b/conf/nginx.conf
index 672ce8c8391b5c65a9fc89eb17165d284534ea00..3bb3389365fd76d4b89e1ad42c6ded821fcae82c 100644 (file)
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -106,7 +106,7 @@ http {
     #    ssl_session_timeout  5m;
 
     #    ssl_protocols  SSLv2 SSLv3 TLSv1;
-    #    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
+    #    ssl_ciphers  HIGH:!aNULL:!MD5;
     #    ssl_prefer_server_ciphers   on;
 
     #    location / {

diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index ee6cc6f0523b4d3341d77ac52dcc72239a7a00a4..1860050d34bbd71bedb3ee164b24e0a055db0a67 100644 (file)
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -13,7 +13,7 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
     ngx_pool_t *pool, ngx_str_t *s);
 
 
-#define NGX_DEFAULT_CIPHERS  "HIGH:!ADH:!MD5"
+#define NGX_DEFAULT_CIPHERS  "HIGH:!aNULL:!MD5"
 
 
 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,

diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
index de463e96b55f8f9044428bc69841aba6845ee63a..9dd9dfd1595078c45a948d91be1d78a5853fb43a 100644 (file)
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -9,7 +9,7 @@
 #include <ngx_mail.h>
 
 
-#define NGX_DEFAULT_CIPHERS  "HIGH:!ADH:!MD5"
+#define NGX_DEFAULT_CIPHERS  "HIGH:!aNULL:!MD5"
 
 
 static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf);