nginx and ephemeral Diffie-Hellman keys
Jauder Ho
lists at ruby-forum.com
Fri Jun 13 06:54:45 MSD 2008
I've been fighting with this all do so hopefully someone can help shed
some light.
I have a site configured to use SSL and it current does successfully
negotiate SSL. However, I am not able for the life of me to get nginx to
offer up DH keys/ciphers.
What I am able to get negotiated is AES256-SHA. What I would like to be
able to see is DHE-RSA-AES256-SHA
The following is that I have set currently.
ssl_prefer_server_ciphers on;
ssl_protocols SSLv3 TLSv1;
# Set the ciphers to use. See
http://infinitesecond.blogspot.com/2008/03/recommended-sslciphersuite.html
ssl_ciphers
DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
Using http://www.serversniff.net/sslcheck.php and vurbu.com:443, it
looks like only RSA key exchanges are successful.
I have concatenated the DH params to the certificate with no effect.
dhparams was created with the following command
openssl dhparam -dsaparam -out dh1024dsa.pem -5 1024
Also looking at the nginx error log files, I see a lot of
SSL23_GET_CLIENT_HELLO:unknown protocol
SSL3_GET_CLIENT_HELLO:no shared cipher
yet the odd thing is I am able to successfully access https://vurbu.com/
nginx was compiled using the following flags.
~/src/nginx-0.7.1$ ./configure --with-http_ssl_module
--add-module=../nginx-upstream-fair/ --with-http_gzip_static_module
Any suggestions would be welcome.
--
Posted via http://www.ruby-forum.com/.
More information about the nginx
mailing list