nginx centos build only supports SSLv3 and ignores ssl_protocols

mayak mayak at australsat.com
Wed Oct 1 20:45:59 UTC 2014


On 10/01/2014 08:45 PM, Lukas Tribus wrote:
>> btw, it seems impossible to have
>>
>> ...
>> ssl_protocols TLSv1.2;
>> ...
>>
>> and a testresult of
>>
>> SSLv2 NOT offered (ok)
>> SSLv3 offered
>> TLSv1 not offered
>> TLSv1.1 not offered
>> TLSv1.2 not offered
> No, its very possible. A SSL_CTX_set_ssl_version() call can fail,
> or the call itself can be #ifdef'ed out.
>
>
>
>> iirc, openssl 1.0.1e should be able to provide tls 1.2, so
>> it seems quite strange
> It may be:
> - the nginx centos 6 RPM is linked against openssl 0.9.8 AND
> - when using a source build, you didn't stop and start the correct executable AND/OR
> - you have some library mismatch/mess on your system
>
>
> If you don't care about the possible mess on your system and want a fast fix,
> just build it statically, as previously suggested.
>
>
>
>
hi lukas, hi mex,

- there is definetely something strange -- this is a vanilla install -- for testing -- i installed apache on the same machine and ran it on port 444 for an ssl host. it works as expected. that would seem to indicate the ssl libraries, etc, are in good shape.

- if you point a mozilla firefox 32.0.3 to this site, you get:
> Secure Connection Failed
>
> An error occurred during a connection to domain.com. SSL peer selected a cipher suite disallowed for the selected protocol version. (Error code: ssl_error_cipher_disallowed_for_version)
>
>     The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
>     Please contact the website owners to inform them of this problem.
- i am going to generate some different certs -- mine are insane -- 4096 key, 4096 dh, sha512 sig -- perhaps the problem lies there. although, why would apache work and not nginx?

will report back tomorrow.

thanks!

m



More information about the nginx mailing list