nginx centos build only supports SSLv3 and ignores ssl_protocols[solved -- found an issue in nginx]
mayak at australsat.com
Thu Oct 2 17:32:54 UTC 2014
On 10/02/2014 02:49 PM, Rob Stradling wrote:
> Hi. Visit https://www.ssllabs.com/ssltest/viewMyClient.html and check out "Protocol Details -> Signature algorithms". I expect you'll find that your browser doesn't offer SHA512/RSA.
> Judging from a recent discussion on the IETF TLS list , there seems to be some confusion over whether the TLS signature_algorithms extension should 1) restrict the permitted certificate signature algorithms and the non-certificate uses of digital signatures in the TLS protocol or 2) only restrict the non-certificate uses of digital signatures in the TLS protocol.
> Those taking view 2 don't offer SHA512/RSA because no cipher suites require it. I've concluded that, sadly, certs signed with SHA512/RSA basically don't work for TLS.
>  http://www.ietf.org/mail-archive/web/tls/current/msg13606.html
the `offer` was checked using `openssl` binary command within the https://testssl.sh/testssl.sh script -- the openssl binary is openssl-1.0.2-beta1
i agree -- nginx cannot handle an sha512 signed cert and will only offer sslv3. apache does offer tlsv1.* with an sha512 signature. this question goes beyond my comprehension of ssl, so i am going to live with sha256 -- strong enough to quench my paranoiac thirst :-)
More information about the nginx