Published: August 28, 2019

SSL/TLS Ciphers in nginx

What are the cipher configuration settings in nginx?

nginx SSL/TLS

nginx configuration files support numerous SSL/TLS settings including several “cipher” related settings. If you look at the SSL Configuration Generator from Mozilla (which you should, it’s an awesome tool), you will see there are two settings related to “cipher”: ssl_ciphers and ssl_prefer_server_ciphers.

Ciphers in SSL

Ciphers in this construct refers to the types of encryption algorithms used to secure the traffic between the browser and the web server. The type of algorithm used is “agreed on” by both the browser and the server during a handshake. Ideally, the server would use only the strongest, most modern, and proven algorithms. Unfortunately, not all browsers and devices support all types of algorithms, therefore, both parties will advertise the types of ciphers they support, and hopefully agree on the strongest cipher both parties support.

Downgrade Attacks

A risk introduced by this process, is the opportunity in the handshake process to trick the parties into using a weaker encryption algorithm, which could be more easily broken. For example, an attacker could intercept the handshake process and request only weak ciphers from the server. If the server supports these weak ciphers, the handshake process would completed, but weakened.

Implementation in nginx

The goal in setting these properties is to balance security and availability. If the ciphers available are too limited, some browsers will be unable to connect. Too weak, and attack vectors open.

ssl_ciphers is a list of cipher suites which the web server is willing to use. The order of these could matter depending on the next setting. The goal here is to select strong ciphers which most browsers and devices support.

ssl_prefer_server_ciphers is a boolean flag to indicate whether to select from the server, or client prescribed ciphers. Per the nginx documentation

Specifies that server ciphers should be preferred over client ciphers


Understanding what a setting means within these types of configuration files is important. Following along with the SSL Configuration Generator from Mozilla will give you a great start at keeping current with the latest and greatest.