issue with ssl_ciphers not being respected

Jessica Litwin jessica at litw.in
Fri Oct 17 23:55:42 UTC 2014


no, not that domain. i'll contact you off-list :D

On Fri, Oct 17, 2014 at 7:41 PM, Scott Larson <stl at wiredrive.com> wrote:

>      Just to be thorough, are you sure nginx is actually using the config
> file that you think it is? If we’re talking about your personal domain I
> see TLS 1.0 and SSL 3.0 available which in this snippet you have not
> enabled. This behavior isn’t something I’m able to replicate with the
> 1.7.6/1.0.1i combo.
>
>
>
> *__________________Scott LarsonSystems AdministratorWiredrive/LA310 823
> 8238 ext. 1106 <310%20823%208238%20ext.%201106>310 943 2078
> <310%20943%202078> faxwww.wiredrive.com
> <http://www.wiredrive.com/>www.twitter.com/wiredrive
> <http://www.twitter.com/wiredrive>www.facebook.com/wiredrive
> <http://www.wiredrive.com/facebook>*
>
> On Oct 17, 2014, at 4:28 PM, Jessica Litwin <jessica at litw.in> wrote:
>
> using openssl101j, I get the same results with  the following in both my
> vhost config and nginx.conf
>
>     ssl_protocols TLSv1.2 TLSv1.1;
>     ssl_ciphers
> EECDH+aRSA+AESGCM:EECDH+aRSA+AES:EDH+aRSA+AESGCM:EDH+aRSA+AES:DES-CB
> C3-SHA:!EXP:!CAMELLIA:!DSS:!MEDIUM:!LOW:!aNULL:!eNULL:!RC4;
>     ssl_prefer_server_ciphers on;
>
> RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger
> ciphers are available.
>
> What the hell am I doing wrong?
>
> On Fri, Oct 17, 2014 at 6:14 AM, itpp2012 <nginx-forum at nginx.us> wrote:
>
>> Scott Larson Wrote:
>> -------------------------------------------------------
>> > Something else must be going on here. Looking at your ssl_cipher
>> > string, you're opening with a rough declaration of specific ciphers
>> > you'll
>> > support, none of which should pull in RC4. It's specific enough in
>> > fact
>> > that your subsequent excluded ciphers don't even come into play. To
>> > test
>> > this I switched in my old RSA cert, rebuilt 1.7.6 against OpenSSL
>> > 1.0.1j,
>>
>> Which is why I said try 101j, between 101e and j there are big differences
>> when it comes to invalid fallbacks.
>> Not even mentioning using 101e is asking to be hacked.
>>
>> Posted at Nginx Forum:
>> http://forum.nginx.org/read.php?2,254028,254092#msg-254092
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
>
> --
> Jessica K. Litwin
> jessicalitwin.com
> twitter: press5
> aim: press5key
> skype: dr_jkl
>  _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
Jessica K. Litwin
jessicalitwin.com
twitter: press5
aim: press5key
skype: dr_jkl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20141017/bd053fa4/attachment-0001.html>


More information about the nginx mailing list