TLS 1.2 ciphers

stephan13360 nginx-forum at nginx.us
Wed Aug 21 18:07:31 UTC 2013


Thanks. I never even considered that the certificate could be the problem.

Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
> 
> On Wed, Aug 21, 2013 at 01:19:01PM -0400, stephan13360 wrote:
> 
> > Chrome 29 came out recently and now supports TLS 1.2. So i decided
> to add
> > some of the new TLS 1.2 ciphers to my webserver, which are specified
> here:
> >
> https://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites.
> > 
> > My current setup is: Ubuntu 10.04, Nginx 1.5.3 ,OpenSSL 1.0.1e
> (build
> > myself)
> > Config file:
> > 
> > server  {
> >     listen 80;
> >     server_name    sherbers.de;
> >     return 301 https://$server_name$request_uri;
> > }
> > server {
> >     listen 443 ssl spdy default_server;
> >     server_name    sherbers.de;
> > 
> >     ssl_certificate /etc/ssl/private/hosteurope/www.sherbers.de.pem;
> >     ssl_certificate_key
> /etc/ssl/private/hosteurope/www.sherbers.de.key;
> >     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> >     ssl_ciphers
> >
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AE
> S256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-S
> HA;
> >     ssl_prefer_server_ciphers on;
> >     ssl_session_cache shared:SSL:10m;
> > 
> > As you can see i only use ciphers with perfect forward secrecy,
> because why
> > not. When i connect to my webserver chrome shows it is using TLS 1.2
> but as
> > a cipher it using ECDHE-RSA, which it was using before too when i
> only
> > offered TLS 1.1, without any of the ECDHE-ECDSA ciphers.
> > 
> > Any idea why nginx doesn't offers the new cipers?
> 
> ECDSA ciphers need an ECDSA certificate to work.  As your cert is 
> RSA, it RSA ciphers are used.
> 
> -- 
> Maxim Dounin
> http://nginx.org/en/donation.html
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,242096,242099#msg-242099



More information about the nginx mailing list