TLS 1.2 ciphers

Maxim Dounin mdounin at mdounin.ru
Wed Aug 21 18:00:12 UTC 2013


Hello!

On Wed, Aug 21, 2013 at 01:19:01PM -0400, stephan13360 wrote:

> Chrome 29 came out recently and now supports TLS 1.2. So i decided to add
> some of the new TLS 1.2 ciphers to my webserver, which are specified here:
> https://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites.
> 
> My current setup is: Ubuntu 10.04, Nginx 1.5.3 ,OpenSSL 1.0.1e (build
> myself)
> Config file:
> 
> server  {
>     listen 80;
>     server_name    sherbers.de;
>     return 301 https://$server_name$request_uri;
> }
> server {
>     listen 443 ssl spdy default_server;
>     server_name    sherbers.de;
> 
>     ssl_certificate /etc/ssl/private/hosteurope/www.sherbers.de.pem;
>     ssl_certificate_key /etc/ssl/private/hosteurope/www.sherbers.de.key;
>     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
>     ssl_ciphers
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
>     ssl_prefer_server_ciphers on;
>     ssl_session_cache shared:SSL:10m;
> 
> As you can see i only use ciphers with perfect forward secrecy, because why
> not. When i connect to my webserver chrome shows it is using TLS 1.2 but as
> a cipher it using ECDHE-RSA, which it was using before too when i only
> offered TLS 1.1, without any of the ECDHE-ECDSA ciphers.
> 
> Any idea why nginx doesn't offers the new cipers?

ECDSA ciphers need an ECDSA certificate to work.  As your cert is 
RSA, it RSA ciphers are used.

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx mailing list