openssl 1.0.1 and tls1.1 and up

Nemesiz nginx-forum at nginx.us
Wed Apr 16 13:42:27 UTC 2014


I found where the problems was. I thought ssl options can be different in
virtual host. Default server settings was not overwritten.

server {
	include conf/default-settings;

	root /var/www;
	server_name "";

	ssl on;
	ssl_certificate ssl/nmz_ssl.crt;
	ssl_certificate_key ssl/nmz_ssl.key;

	ssl_session_timeout 5m;

	ssl_protocols SSLv3 TLSv1;
	ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
	ssl_prefer_server_ciphers on;

	location / {
		try_files $uri $uri/ =404;
	}

	location /smokeping/ {
		proxy_pass http://10.10.10.2/smokeping/;
	}
}

Others servers:
server {
	include conf/default-site-ssl;
	include conf/default-settings;
	ssl_certificate /etc/nginx/ssl/host.pem;
	ssl_certificate_key /etc/nginx/ssl/host.key;
....


conf/default-site-ssl :

listen 443 ssl;
ssl on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
add_header Strict-Transport-Security "max-age=31536000;
includeSubdomains;";


nginx -t did not show any error.

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols

So some ssl options cannot be overwritten ?

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,249305,249341#msg-249341



More information about the nginx mailing list