<div dir="ltr"> Something else must be going on here. Looking at your ssl_cipher string, you're opening with a rough declaration of specific ciphers you'll support, none of which should pull in RC4. It's specific enough in fact that your subsequent excluded ciphers don't even come into play. To test this I switched in my old RSA cert, rebuilt 1.7.6 against OpenSSL 1.0.1j, and hit it with `nmap --script ssl-enum-ciphers <a href="http://www.ossuary.net">www.ossuary.net</a>` and the results with your exact string and removing the exclusions returned identical supported options from the server on both runs, none of which were RC4.<div> As for the location, in my tests this was defined within the server{} block. Without seeing your entire config, if you witness RC4 as truly being offered my guesses would be that it's declared in a place which is being ignored so nginx falls back to the default value, there is a second less strict declaration somewhere (maybe in an include) overriding it, or there is a proxy in front which is doing the actual termination.</div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><b style="color:rgb(25,25,25)"><div style="color:rgb(0,0,0);font-weight:normal"><b style="color:rgb(25,25,25)"><font face="Lucida Grande" size="1"><div style="color:rgb(0,0,0);font-weight:normal"><span style="color:rgb(25,25,25);font-weight:bold">__________________</span></div><div style="color:rgb(0,0,0);font-weight:normal"><div style="margin:0px"><font color="#191919"><b><br></b></font></div><div style="margin:0px"><font color="#191919"><b>Scott Larson</b></font></div><div style="margin:0px"><div style="margin:0px"><font color="#007EFD"><span style="color:rgb(0,0,0)"><div style="margin:0px"><font color="#191919"><b><div style="margin:0px;font-weight:normal;color:rgb(120,120,120)"><span style="color:rgb(25,25,25)"><b><div style="margin:0px;font-weight:normal;color:rgb(120,120,120)">Systems Administrator</div></b></span></div><div style="margin:0px;font-weight:normal;min-height:8px"><br></div><div style="margin:0px;font-weight:normal"><b>Wiredrive/LA</b></div><div style="margin:0px;font-weight:normal"><a value="+13108238238" style="color:rgb(17,85,204)">310 823 8238 ext. 1106</a></div><div style="margin:0px;font-weight:normal"><a value="+13109432078" style="color:rgb(17,85,204)">310 943 2078</a> fax</div></b></font></div><div style="margin:0px"><font color="#2498FC"><a href="http://www.wiredrive.com/" style="color:rgb(17,85,204)" target="_blank">www.wiredrive.com</a></font></div><div style="margin:0px"><font color="#2498FC"><span style="color:rgb(0,0,0)"><div style="margin:0px;color:rgb(120,120,120)"><div style="margin:0px"><a href="http://www.twitter.com/wiredrive" style="color:rgb(17,85,204)" target="_blank"><font color="#2498FC">www.twitter.com/wiredrive</font></a></div><div style="margin:0px"><font color="#2498FC"><a href="http://www.wiredrive.com/facebook" style="color:rgb(17,85,204)" target="_blank">www.facebook.com/wiredrive</a></font></div></div></span></font></div></span></font></div></div></div></font></b></div></b></div></div>
<br><div class="gmail_quote">On Thu, Oct 16, 2014 at 2:03 PM, Jessica Litwin <span dir="ltr"><<a href="mailto:jessica@litw.in" target="_blank">jessica@litw.in</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">I can do this, but I guess my whole question was does this mean exclusion bits are broken? </p><div class="HOEnZb"><div class="h5">
<div style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"> I'm personally partial to just outright declaring my supported ciphers rather than using the exclusion bits. My personal server is aggressively strict, the setup for our production gear is much less so. Either way it allows me to know exactly what's available to clients.<div><br></div><div>For lunatics with DSA keys and LibreSSL:</div><div><br></div><div> ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256;<br></div><div><br></div><div>For more rational people with RSA keys and OpenSSL:</div><div><br></div><div> ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA;<br></div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><b style="color:rgb(25,25,25)"><div style="color:rgb(0,0,0);font-weight:normal"><b style="color:rgb(25,25,25)"><font face="Lucida Grande" size="1"><div style="color:rgb(0,0,0);font-weight:normal"><span style="color:rgb(25,25,25);font-weight:bold">__________________</span></div><div style="color:rgb(0,0,0);font-weight:normal"><div style="margin:0px"><font color="#191919"><b><br></b></font></div><div style="margin:0px"><font color="#191919"><b>Scott Larson</b></font></div><div style="margin:0px"><div style="margin:0px"><font color="#007EFD"><span style="color:rgb(0,0,0)"><div style="margin:0px"><font color="#191919"><b><div style="margin:0px;font-weight:normal;color:rgb(120,120,120)"><span style="color:rgb(25,25,25)"><b><div style="margin:0px;font-weight:normal;color:rgb(120,120,120)">Systems Administrator</div></b></span></div><div style="margin:0px;font-weight:normal;min-height:8px"><br></div><div style="margin:0px;font-weight:normal"><b>Wiredrive/LA</b></div><div style="margin:0px;font-weight:normal"><a value="+13108238238" style="color:rgb(17,85,204)">310 823 8238 ext. 1106</a></div><div style="margin:0px;font-weight:normal"><a value="+13109432078" style="color:rgb(17,85,204)">310 943 2078</a> fax</div></b></font></div><div style="margin:0px"><font color="#2498FC"><a href="http://www.wiredrive.com/" style="color:rgb(17,85,204)" target="_blank">www.wiredrive.com</a></font></div><div style="margin:0px"><font color="#2498FC"><span style="color:rgb(0,0,0)"><div style="margin:0px;color:rgb(120,120,120)"><div style="margin:0px"><a href="http://www.twitter.com/wiredrive" style="color:rgb(17,85,204)" target="_blank"><font color="#2498FC">www.twitter.com/wiredrive</font></a></div><div style="margin:0px"><font color="#2498FC"><a href="http://www.wiredrive.com/facebook" style="color:rgb(17,85,204)" target="_blank">www.facebook.com/wiredrive</a></font></div></div></span></font></div></span></font></div></div></div></font></b></div></b></div></div>
<br><div class="gmail_quote">On Thu, Oct 16, 2014 at 1:28 PM, Jessica Litwin <span dir="ltr"><<a href="mailto:jessica@litw.in" target="_blank">jessica@litw.in</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I'm sure. I'm very, very sure the correct site is being tested.</div><div class="gmail_extra"><div><div><br><div class="gmail_quote">On Thu, Oct 16, 2014 at 4:23 PM, mex <span dir="ltr"><<a href="mailto:nginx-forum@nginx.us" target="_blank">nginx-forum@nginx.us</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">hi,<br>
<span><br>
> ><br>
> > - make sure you are testing correct server.<br>
> ><br>
<br>
<br>
</span>i'd suggest to configure an additional access/error-log<br>
in that server {} - block, to be 100% sure.<br>
<br>
<br>
regards,<br>
<br>
<br>
mex<br>
<br>
Posted at Nginx Forum: <a href="http://forum.nginx.org/read.php?2,254028,254077#msg-254077" target="_blank">http://forum.nginx.org/read.php?2,254028,254077#msg-254077</a><br>
<div><div><br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div dir="ltr">Jessica K. Litwin<div><a href="http://jessicalitwin.com" target="_blank">jessicalitwin.com</a><div><div>twitter: press5<br>aim: press5key<br>skype: dr_jkl</div></div></div></div>
</font></span></div>
<br>_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br></blockquote></div><br></div>
<br>_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br></div>
</div></div><br>_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br></blockquote></div><br></div>