openssl 1.0.1 and tls1.1 and up
Nemesiz
nginx-forum at nginx.us
Wed Apr 16 13:42:27 UTC 2014
I found where the problems was. I thought ssl options can be different in
virtual host. Default server settings was not overwritten.
server {
include conf/default-settings;
root /var/www;
server_name "";
ssl on;
ssl_certificate ssl/nmz_ssl.crt;
ssl_certificate_key ssl/nmz_ssl.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
location / {
try_files $uri $uri/ =404;
}
location /smokeping/ {
proxy_pass http://10.10.10.2/smokeping/;
}
}
Others servers:
server {
include conf/default-site-ssl;
include conf/default-settings;
ssl_certificate /etc/nginx/ssl/host.pem;
ssl_certificate_key /etc/nginx/ssl/host.key;
....
conf/default-site-ssl :
listen 443 ssl;
ssl on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
add_header Strict-Transport-Security "max-age=31536000;
includeSubdomains;";
nginx -t did not show any error.
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
So some ssl options cannot be overwritten ?
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,249305,249341#msg-249341
More information about the nginx
mailing list