<div dir="ltr">Hi,<div><br></div><div>Everything is loading OK and nginx -t (or service nginx configtest) show the config is ok and I am testing the correct server.</div><div><br></div><div>Another poster suggested upgrading openssl to 1.0.1j but I'd have to build from source to do that and I'm not sure what affect it would have against nginx....</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 16, 2014 at 9:10 AM, Maxim Dounin <span dir="ltr"><<a href="mailto:mdounin@mdounin.ru" target="_blank">mdounin@mdounin.ru</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello!<br>
<span class=""><br>
On Thu, Oct 16, 2014 at 03:40:44AM -0400, Jessica Litwin wrote:<br>
<br>
> Hello<br>
><br>
> I seem to have a bit of a problem. In my vhost's server {}; block, I have:<br>
><br>
> ssl_ciphers<br>
> EECDH+aRSA+AESGCM:EECDH+aRSA+AES:EDH+aRSA+AESGCM:EDH+aRSA+AES:DES-CBC3-SHA:!EXP:!CAMELLIA:!DSS:!MEDIUM:!LOW:!aNULL:!eNULL:!RC4;<br>
> ssl_prefer_server_ciphers on;<br>
><br>
> but for some reason this doesn't seem to be respected because <a href="http://ssllabs.com" target="_blank">ssllabs.com</a>'s<br>
> checker says:<br>
><br>
> "RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger<br>
> ciphers are available."<br>
><br>
> Testing with openssl s_client shows:<br>
><br>
> SSL-Session:<br>
> Protocol : TLSv1.2<br>
> Cipher : ECDHE-RSA-RC4-SHA<br>
><br>
> My ssl_ciphers line _should_ be disallowing all RC4... so I am not sure if<br>
> this is a bug or if I have these options in the wrong place (I tried them<br>
> in the http{} block for grins with no effect) or if there's something<br>
> missing from my build. Can someone provide guidance?<br>
<br>
</span>Configuring ssl_ciphers at http{} level should be fine - as long<br>
as it's not overwritten in server{} blocks.<br>
<br>
Some thrivial things to check:<br>
<br>
- make sure ssl_ciphers isn't overwritten in server{} blocks;<br>
<br>
- make sure you've properly reloaded you configuration. If you<br>
used configuration reload (not nginx restart) - make sure to<br>
check logs to see if reload went fine, as nginx will revert to a<br>
previous configuration in case of errors. Additionally, "nginx -t"<br>
may be helpful here.<br>
<br>
- make sure you are testing correct server.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Maxim Dounin<br>
<a href="http://nginx.org/" target="_blank">http://nginx.org/</a><br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">Jessica K. Litwin<div><a href="http://jessicalitwin.com" target="_blank">jessicalitwin.com</a><div><div>twitter: press5<br>aim: press5key<br>skype: dr_jkl</div></div></div></div>
</div>