wrong option for nginx modern and intermediate

[MagicChocoRolls]

When creating an nginx config, for intermediate and modern the generator always tells me to set ssl_prefer_server_ciphers off;.
This seems weird. I would assume this should always be set to 'on'!?

[april]

Nope, it should be off for Intermediate and Modern. We talk about why this is here:

https://wiki.mozilla.org/Security/Server_Side_TLS

[teward]

@april erm... if you DO talk about this in that document, it's not clear where it's stated.

Also, current version of the document as of right now (last rev: 18 days ago) says this:

The ordering of cipher suites in the Intermediate and Old configurations is very important, as it determines the priority with which algorithms are selected.

... which means for Intermediate, ordering is still necessary. Which means your documentation and the generator are in disagreement.

THEREFORE

One of the following must happen:

1. DETAILED documentation and more clearly visible explanation as to why prefer server ciphers should be off for Intermediate (implied to be off for Modern), and the quoted wording earlier on in the document updated, or

2. The generator for Intermediate needs to be altered to have ssl_prefer_server_ciphers on;

[april]

Ahh, it's just the wiki that's off. I'll remove the Intermediate bit from it. Thanks.

[april]

There, all fixed. :)

[april]

It should be noted that the JSON document and Intermediate section (in multiple places) talk about why Client Ordered is preferred, it was just that paragraph at the top was incorrect.

The generator has always been correct.

[gene1wood]

@april thanks for fixing the wiki with mozilla/server-side-tls#262 and @teward thanks so much for catching this inconsistency that was likely to trip up other people as well.