HTTP/2 without forward secrecy (Diffie-Hellman)

Max Meyer redeemerofsouls666 at
Mon Aug 15 12:32:46 UTC 2016


for a test environment I successfully set up an nginx webserver (1.11.2) 
with HTTP/2.

But for further tests I need to decrypt traffic with wireshark using the 
servers private key.

For that I need to disable forward secrecy (since it is only a test 
environment security is not an issue)

So I changed the "ssl_ciphers" in my /sites-enabled/default file from:

ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";


ssl_ciphers "AES128-SHA";

So my configuration looks like this:

server {
     listen 443 http2;

     root /var/www/html;
     index index.php index.html index.htm;

     ssl on;
     ssl_certificate /etc/ssl/server.crt;
         ssl_certificate_key /etc/ssl/private.key;

     ssl_protocols TLSv1.2;
#    ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
     ssl_ciphers "AES128-SHA";
     ssl_prefer_server_ciphers on;

But now the server won't do HTTP/2 anymore, it falls back to HTTP/1.1.
I tried the same with an Apache webserver and it worked fine, so I guess 
it is not a general problem with the chosen cipher.

Any ideas on what could be the problem?


More information about the nginx mailing list