<div dir="ltr">using openssl101j, I get the same results with the following in both my vhost config and nginx.conf <div><br></div><div><div> ssl_protocols TLSv1.2 TLSv1.1;</div><div> ssl_ciphers EECDH+aRSA+AESGCM:EECDH+aRSA+AES:EDH+aRSA+AESGCM:EDH+aRSA+AES:DES-CB</div><div>C3-SHA:!EXP:!CAMELLIA:!DSS:!MEDIUM:!LOW:!aNULL:!eNULL:!RC4;</div><div> ssl_prefer_server_ciphers on;</div></div><div><br></div><div><span style="font-family:Arial,Helvetica,sans-serif;font-size:12px;font-weight:bold;line-height:21.6000003814697px;text-align:center;background-color:rgb(255,207,121)">RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger ciphers are available. </span><br></div><div><span style="font-family:Arial,Helvetica,sans-serif;font-size:12px;font-weight:bold;line-height:21.6000003814697px;text-align:center;background-color:rgb(255,207,121)"><br></span></div><div>What the hell am I doing wrong? </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 17, 2014 at 6:14 AM, itpp2012 <span dir="ltr"><<a href="mailto:nginx-forum@nginx.us" target="_blank">nginx-forum@nginx.us</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Scott Larson Wrote:<br>
-------------------------------------------------------<br>
<span class="">> Something else must be going on here. Looking at your ssl_cipher<br>
> string, you're opening with a rough declaration of specific ciphers<br>
> you'll<br>
> support, none of which should pull in RC4. It's specific enough in<br>
> fact<br>
> that your subsequent excluded ciphers don't even come into play. To<br>
> test<br>
> this I switched in my old RSA cert, rebuilt 1.7.6 against OpenSSL<br>
> 1.0.1j,<br>
<br>
</span>Which is why I said try 101j, between 101e and j there are big differences<br>
when it comes to invalid fallbacks.<br>
Not even mentioning using 101e is asking to be hacked.<br>
<br>
Posted at Nginx Forum: <a href="http://forum.nginx.org/read.php?2,254028,254092#msg-254092" target="_blank">http://forum.nginx.org/read.php?2,254028,254092#msg-254092</a><br>
<div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">Jessica K. Litwin<div><a href="http://jessicalitwin.com" target="_blank">jessicalitwin.com</a><div><div>twitter: press5<br>aim: press5key<br>skype: dr_jkl</div></div></div></div>
</div>