Bug re: openssl-1.0.1
petros.fraser at gmail.com
Mon Jan 12 21:18:51 UTC 2015
You were absolutely correct. It is working now. I changed three things. I
firstly forced TLS 1.0 then changed the directive ssl_protocols to
proxy_ssl_protocols as you suggested. Finally, I restricted to Cipher list
as you also mentioned. I had thought that I would leave all that out and
tie things down when I got it working. I never thought being so liberal
would prevent it from working in the first place. Thanks for your thoughts.
On Mon, Jan 12, 2015 at 9:55 AM, Lukas Tribus <luky-37 at hotmail.com> wrote:
> > I did an ssldump and this is the conversation between both servers:
> This ssldump seems incomplete, there is no response. Please post the
> full ssldump.
> The bug is probably neither in openssl nor in nginx, but in the origin
> server (but we don't have the full handshake here).
> Since nginx 1.5.6, you can configure proxy_ssl_protocols and
> proxy_ssl_ciphers to configure backend ssl traffic, which may
> allows you to workaround certain backend bugs.
> Certainly a lot of bogus ciphers are enabled by default in your
> setup (NULL, EXPORT, etc).
> If you have nginx>= 1.5.6, you can probably workaround this
> by forcing SSLv3 (which I would not recommend at all):
> proxy_ssl_protocols SSLv3;
> But I would rather configure a sane cipher list with
> proxy_ssl_ciphers and see to get it working with it (see ).
> Try playing with "openssl s_client -cipher <cipherlist>" to find
> a secure and working configuration.
> nginx mailing list
> nginx at nginx.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nginx