nginx centos build only supports SSLv3 and ignores ssl_protocols[solved -- found an issue in nginx]

mayak mayak at
Thu Oct 2 17:32:54 UTC 2014

On 10/02/2014 02:49 PM, Rob Stradling wrote:
> Hi. Visit and check out "Protocol Details -> Signature algorithms".  I expect you'll find that your browser doesn't offer SHA512/RSA.
> Judging from a recent discussion on the IETF TLS list [1], there seems to be some confusion over whether the TLS signature_algorithms extension should 1) restrict the permitted certificate signature algorithms and the non-certificate uses of digital signatures in the TLS protocol or 2) only restrict the non-certificate uses of digital signatures in the TLS protocol.
> Those taking view 2 don't offer SHA512/RSA because no cipher suites require it.  I've concluded that, sadly, certs signed with SHA512/RSA basically don't work for TLS.
> [1]
hi rob,

the `offer` was checked using `openssl` binary command within the script -- the openssl binary is openssl-1.0.2-beta1

i agree -- nginx cannot handle an sha512 signed cert and will only offer sslv3. apache does offer tlsv1.* with an sha512 signature. this question goes beyond my comprehension of ssl, so i am going to live with sha256 -- strong enough to quench my paranoiac thirst :-)



More information about the nginx mailing list