issue with ssl_ciphers not being respected
stl at wiredrive.com
Fri Oct 17 23:41:41 UTC 2014
Just to be thorough, are you sure nginx is actually using the config file that you think it is? If we’re talking about your personal domain I see TLS 1.0 and SSL 3.0 available which in this snippet you have not enabled. This behavior isn’t something I’m able to replicate with the 1.7.6/1.0.1i combo.
310 823 8238 ext. 1106
310 943 2078 fax
> On Oct 17, 2014, at 4:28 PM, Jessica Litwin <jessica at litw.in> wrote:
> using openssl101j, I get the same results with the following in both my vhost config and nginx.conf
> ssl_protocols TLSv1.2 TLSv1.1;
> ssl_ciphers EECDH+aRSA+AESGCM:EECDH+aRSA+AES:EDH+aRSA+AESGCM:EDH+aRSA+AES:DES-CB
> ssl_prefer_server_ciphers on;
> RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger ciphers are available.
> What the hell am I doing wrong?
> On Fri, Oct 17, 2014 at 6:14 AM, itpp2012 <nginx-forum at nginx.us <mailto:nginx-forum at nginx.us>> wrote:
> Scott Larson Wrote:
> > Something else must be going on here. Looking at your ssl_cipher
> > string, you're opening with a rough declaration of specific ciphers
> > you'll
> > support, none of which should pull in RC4. It's specific enough in
> > fact
> > that your subsequent excluded ciphers don't even come into play. To
> > test
> > this I switched in my old RSA cert, rebuilt 1.7.6 against OpenSSL
> > 1.0.1j,
> Which is why I said try 101j, between 101e and j there are big differences
> when it comes to invalid fallbacks.
> Not even mentioning using 101e is asking to be hacked.
> Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254028,254092#msg-254092 <http://forum.nginx.org/read.php?2,254028,254092#msg-254092>
> nginx mailing list
> nginx at nginx.org <mailto:nginx at nginx.org>
> http://mailman.nginx.org/mailman/listinfo/nginx <http://mailman.nginx.org/mailman/listinfo/nginx>
> Jessica K. Litwin
> jessicalitwin.com <http://jessicalitwin.com/>
> twitter: press5
> aim: press5key
> skype: dr_jkl
> nginx mailing list
> nginx at nginx.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nginx