nginx centos build only supports SSLv3 and ignores ssl_protocols
steve at greengecko.co.nz
Wed Oct 1 22:16:17 UTC 2014
On Wed, 2014-10-01 at 22:45 +0200, mayak wrote:
> On 10/01/2014 08:45 PM, Lukas Tribus wrote:
> >> btw, it seems impossible to have
> >> ...
> >> ssl_protocols TLSv1.2;
> >> ...
> >> and a testresult of
> >> SSLv2 NOT offered (ok)
> >> SSLv3 offered
> >> TLSv1 not offered
> >> TLSv1.1 not offered
> >> TLSv1.2 not offered
> > No, its very possible. A SSL_CTX_set_ssl_version() call can fail,
> > or the call itself can be #ifdef'ed out.
> >> iirc, openssl 1.0.1e should be able to provide tls 1.2, so
> >> it seems quite strange
> > It may be:
> > - the nginx centos 6 RPM is linked against openssl 0.9.8 AND
> > - when using a source build, you didn't stop and start the correct executable AND/OR
> > - you have some library mismatch/mess on your system
> > If you don't care about the possible mess on your system and want a fast fix,
> > just build it statically, as previously suggested.
> hi lukas, hi mex,
> - there is definetely something strange -- this is a vanilla install -- for testing -- i installed apache on the same machine and ran it on port 444 for an ssl host. it works as expected. that would seem to indicate the ssl libraries, etc, are in good shape.
> - if you point a mozilla firefox 32.0.3 to this site, you get:
> > Secure Connection Failed
> > An error occurred during a connection to domain.com. SSL peer selected a cipher suite disallowed for the selected protocol version. (Error code: ssl_error_cipher_disallowed_for_version)
> > The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
> > Please contact the website owners to inform them of this problem.
> - i am going to generate some different certs -- mine are insane -- 4096 key, 4096 dh, sha512 sig -- perhaps the problem lies there. although, why would apache work and not nginx?
> will report back tomorrow.
I find that https://www.ssllabs.com/ssltest/ provides a good breakdown
of what a site is offering. I certainly used it to fine tune my SSL
setup. I generally use CentOS 6/Amazon, but do use the nginx repo when
not building from source for pagespeed. This repo certainly offers all
the way up to TLS 1.2 if enabled.
Steve Holdoway BSc(Hons) MIITP
More information about the nginx