<div dir="ltr"><div>You were absolutely correct. It is working now. I changed three things. I firstly forced TLS 1.0 then changed the directive ssl_protocols to proxy_ssl_protocols as you suggested. Finally, I restricted to Cipher list as you also mentioned. I had thought that I would leave all that out and tie things down when I got it working. I never thought being so liberal would prevent it from working in the first place. Thanks for your thoughts.<br><br></div>Regards.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jan 12, 2015 at 9:55 AM, Lukas Tribus <span dir="ltr"><<a href="mailto:luky-37@hotmail.com" target="_blank">luky-37@hotmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">> I did an ssldump and this is the conversation between both servers:<br>
<br>
</span>This ssldump seems incomplete, there is no response. Please post the<br>
full ssldump.<br>
<br>
The bug is probably neither in openssl nor in nginx, but in the origin<br>
server (but we don't have the full handshake here).<br>
<br>
<br>
Since nginx 1.5.6, you can configure proxy_ssl_protocols and<br>
proxy_ssl_ciphers to configure backend ssl traffic, which may<br>
allows you to workaround certain backend bugs.<br>
<br>
Certainly a lot of bogus ciphers are enabled by default in your<br>
setup (NULL, EXPORT, etc).<br>
<br>
If you have nginx>= 1.5.6, you can probably workaround this<br>
by forcing SSLv3 (which I would not recommend at all):<br>
proxy_ssl_protocols SSLv3;<br>
<br>
But I would rather configure a sane cipher list with<br>
proxy_ssl_ciphers and see to get it working with it (see [1]).<br>
<br>
Try playing with "openssl s_client -cipher <cipherlist>" to find<br>
a secure and working configuration.<br>
<br>
<br>
<br>
<br>
Regards,<br>
<br>
Lukas<br>
<br>
<br>
[1] <a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations" target="_blank">https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations</a><br>
<div class="HOEnZb"><div class="h5"><br>
<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</div></div></blockquote></div><br></div>