openssl 1.0.1 and tls1.1 and up

Miguel Clara miguelmclara at gmail.com
Tue Apr 15 13:39:45 UTC 2014 

I should clarify the the default for ssl_protocols is fine, to my
environment since we need to support SSLv3, if you don't I suggest make it
safer:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;




On Tue, Apr 15, 2014 at 2:31 PM, Miguel Clara <miguelmclara at gmail.com>wrote:

>
> I have an nginx 1.5 install where I don't set the ssl_protocols, because,
> the defaults are fine:
> ---> "Since versions 1.1.13 and 1.0.12, nginx uses “ssl_protocols SSLv3
> TLSv1 TLSv1.1 TLSv1.2” by default."
>
>
> This is what I have find to be the best for ciphers, SSLLABS seems to like
> it, I would even set !RC4, but we need to still support it in this specific
> server.
>
>
>         # ciphers
>         ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM
> EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
> EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK
> !SRP !DSS";
>
>
>
>
>
>
>
> On Tue, Apr 15, 2014 at 1:31 PM, Nemesiz <nginx-forum at nginx.us> wrote:
>
>> Hello
>>
>> I`m struggling with enabling tls1.1 and tls1.2. Some info:
>>
>> NGINX:
>>
>> # nginx -V
>> nginx version: nginx/1.5.13
>> built by gcc 4.8.1 (Ubuntu/Linaro 4.8.1-10ubuntu9)
>> TLS SNI support enabled
>> configure arguments: --prefix=/usr/local/nginx/1.5.13
>> --conf-path=/etc/nginx/nginx.conf
>> --error-log-path=/var/log/nginx/error.log
>> --http-client-body-temp-path=/var/lib/nginx/body
>> --http-fastcgi-temp-path=/var/lib/nginx/fastcgi
>> --http-log-path=/var/log/nginx/access.log
>> --http-proxy-temp-path=/var/lib/nginx/proxy
>> --http-scgi-temp-path=/var/lib/nginx/scgi
>> --http-uwsgi-temp-path=/var/lib/nginx/uwsgi
>> --lock-path=/var/lock/nginx.lock
>> --pid-path=/run/nginx.pid --with-pcre-jit --with-debug
>> --with-http_addition_module --with-http_auth_request_module
>> --with-http_dav_module --with-http_geoip_module
>> --with-http_gzip_static_module --with-http_image_filter_module
>> --with-http_realip_module --with-http_spdy_module --with-http_ssl_module
>> --with-http_stub_status_module --with-http_sub_module
>> --with-http_xslt_module --with-ipv6
>> --add-module=/usr/src/nginx-modules/nginx-openssl-version
>> --add-module=/usr/src/nginx-modules/testcookie-nginx-module
>> --with-pcre=/usr/src/nginx-modules/pcre-8.35
>> --with-openssl=/usr/src/nginx-modules/openssl-1.0.1g
>>
>> SSL settings:
>>
>> ssl_session_cache shared:SSL:50m;
>> ssl_session_timeout 5m;
>> ssl_dhparam /etc/nginx/ssl/dhparam.pem;
>> ssl_prefer_server_ciphers on;
>> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
>> ssl_ciphers
>>
>> 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
>> add_header Strict-Transport-Security "max-age=31536000;
>> includeSubdomains;";
>>
>>
>> https://www.ssllabs.com/ssltest/ results:
>>
>> Protocols
>> TLS 1.2         No
>> TLS 1.1         No
>> TLS 1.0         Yes
>> SSL 3   Yes
>> SSL 2   No
>>
>> Any hint ?
>>
>> Posted at Nginx Forum:
>> http://forum.nginx.org/read.php?2,249305,249305#msg-249305
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20140415/57841be0/attachment.html>

More information about the nginx mailing list