SSL Ciphers
This page is outdated. Please use the Mozilla SSL Configuration Generator to generate a secure configuration.
The SSL/TLS Protocol versions, and Ciphers have never really been an item which people configured very tightly. Lately though, there are very valid reasons to ensure that SSL, where applied, has the best methods available to protect confidentiality/integrity. Sites such as ssllabs.com can help test your web servers configurations. Weak ciphers give a false sense of security. There are attacks against SSL/TLS.
The following is the set I use for this site (at the time of publishing):
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
This is also useful (different config value names) in things like dovecot.conf and also apache’s SSL vhost configs.