openssl 1.0.1 and tls1.1 and up

Miguel Clara miguelmclara at gmail.com
Tue Apr 15 13:31:56 UTC 2014


I have an nginx 1.5 install where I don't set the ssl_protocols, because,
the defaults are fine:
---> "Since versions 1.1.13 and 1.0.12, nginx uses “ssl_protocols SSLv3
TLSv1 TLSv1.1 TLSv1.2” by default."


This is what I have find to be the best for ciphers, SSLLABS seems to like
it, I would even set !RC4, but we need to still support it in this specific
server.


        # ciphers
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM
EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK
!SRP !DSS";







On Tue, Apr 15, 2014 at 1:31 PM, Nemesiz <nginx-forum at nginx.us> wrote:

> Hello
>
> I`m struggling with enabling tls1.1 and tls1.2. Some info:
>
> NGINX:
>
> # nginx -V
> nginx version: nginx/1.5.13
> built by gcc 4.8.1 (Ubuntu/Linaro 4.8.1-10ubuntu9)
> TLS SNI support enabled
> configure arguments: --prefix=/usr/local/nginx/1.5.13
> --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log
> --http-client-body-temp-path=/var/lib/nginx/body
> --http-fastcgi-temp-path=/var/lib/nginx/fastcgi
> --http-log-path=/var/log/nginx/access.log
> --http-proxy-temp-path=/var/lib/nginx/proxy
> --http-scgi-temp-path=/var/lib/nginx/scgi
> --http-uwsgi-temp-path=/var/lib/nginx/uwsgi
> --lock-path=/var/lock/nginx.lock
> --pid-path=/run/nginx.pid --with-pcre-jit --with-debug
> --with-http_addition_module --with-http_auth_request_module
> --with-http_dav_module --with-http_geoip_module
> --with-http_gzip_static_module --with-http_image_filter_module
> --with-http_realip_module --with-http_spdy_module --with-http_ssl_module
> --with-http_stub_status_module --with-http_sub_module
> --with-http_xslt_module --with-ipv6
> --add-module=/usr/src/nginx-modules/nginx-openssl-version
> --add-module=/usr/src/nginx-modules/testcookie-nginx-module
> --with-pcre=/usr/src/nginx-modules/pcre-8.35
> --with-openssl=/usr/src/nginx-modules/openssl-1.0.1g
>
> SSL settings:
>
> ssl_session_cache shared:SSL:50m;
> ssl_session_timeout 5m;
> ssl_dhparam /etc/nginx/ssl/dhparam.pem;
> ssl_prefer_server_ciphers on;
> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
> ssl_ciphers
>
> 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
> add_header Strict-Transport-Security "max-age=31536000;
> includeSubdomains;";
>
>
> https://www.ssllabs.com/ssltest/ results:
>
> Protocols
> TLS 1.2         No
> TLS 1.1         No
> TLS 1.0         Yes
> SSL 3   Yes
> SSL 2   No
>
> Any hint ?
>
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,249305,249305#msg-249305
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20140415/18781b5f/attachment.html>


More information about the nginx mailing list