ssl_prefer_server_ciphers on is not needed
When I configured the webserver for this blog I intentionally set
Why? Because I don’t know what cipher is the fastest/most secure on the client side.
This blog only has TLS 1.2 enabled and the following ciphers (with ECDHE key exchange):
Of these ciphers only AES128-SHA256 and AES256-SHA384 are not AEAD. However many older browsers/devices only implement the CBC variant of AES in ECDHE mode (and not CCM/GCM or CHACHA20) so it is needed as a fallback.
If only strong ciphers are defined (and TLS version and key exchange) there is no need to specify ssl_prefer_server_ciphers on.
For example if AES256-GCM-SHA384 is the preferred cipher server side the client will use it instead of potentially faster CHACHA20-POLY1305 (on slower devices or devices without AES-NI).
In practice only following ciphers are used:
- CHACHA20-POLY1305 (modern Android devices)
- AES128-GCM or AES256-GCM (modern browsers)
- AES256-SHA384 (older clients, IE)
Browser vendors have much better overview what cipher is fastest on the device the browser is running on so don’t force potentially slower cipher by specifying ssl_prefer_server_ciphers on.