issue with ssl_ciphers not being respected

Maxim Dounin mdounin at
Thu Oct 16 13:10:13 UTC 2014


On Thu, Oct 16, 2014 at 03:40:44AM -0400, Jessica Litwin wrote:

> Hello
> I seem to have a bit of a problem. In my vhost's server {}; block, I have:
>     ssl_ciphers
>     ssl_prefer_server_ciphers on;
> but for some reason this doesn't seem to be respected because's
> checker says:
> "RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger
> ciphers are available."
> Testing with openssl s_client shows:
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-RC4-SHA
> My ssl_ciphers line _should_ be disallowing all RC4... so I am not sure if
> this is a bug or if I have these options in the wrong place (I tried them
> in the http{} block for grins with no effect) or if there's something
> missing from my build. Can someone provide guidance?

Configuring ssl_ciphers at http{} level should be fine - as long 
as it's not overwritten in server{} blocks.

Some thrivial things to check:

- make sure ssl_ciphers isn't overwritten in server{} blocks;

- make sure you've properly reloaded you configuration.  If you 
  used configuration reload (not nginx restart) - make sure to 
  check logs to see if reload went fine, as nginx will revert to a 
  previous configuration in case of errors.  Additionally, "nginx -t" 
  may be helpful here.
- make sure you are testing correct server.

Maxim Dounin

More information about the nginx mailing list