issue with ssl_ciphers not being respected

Jessica Litwin jessica at litw.in
Thu Oct 16 07:40:44 UTC 2014


Hello

I seem to have a bit of a problem. In my vhost's server {}; block, I have:

    ssl_ciphers
EECDH+aRSA+AESGCM:EECDH+aRSA+AES:EDH+aRSA+AESGCM:EDH+aRSA+AES:DES-CBC3-SHA:!EXP:!CAMELLIA:!DSS:!MEDIUM:!LOW:!aNULL:!eNULL:!RC4;
    ssl_prefer_server_ciphers on;

but for some reason this doesn't seem to be respected because ssllabs.com's
checker says:

"RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger
ciphers are available."

Testing with openssl s_client shows:

SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-RC4-SHA

My ssl_ciphers line _should_ be disallowing all RC4... so I am not sure if
this is a bug or if I have these options in the wrong place (I tried them
in the http{} block for grins with no effect) or if there's something
missing from my build. Can someone provide guidance?

TIA.

-jkl


root at dreamer:~# which nginx
/usr/sbin/nginx

root at dreamer:~# /usr/sbin/nginx -V
nginx version: nginx/1.7.6
built by gcc 4.7.2 (Debian 4.7.2-5)
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx --with-http_ssl_module
--with-http_gzip_static_module --with-http_stub_status_module
--with-cc-opt=-Wno-error
--add-module=/usr/local/rvm/gems/ruby-2.1.3/gems/passenger-4.0.53/ext/nginx
--sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf
--error-log-path=/var/log/nginx/error.log
--http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid
--lock-path=/var/run/nginx.lock
--http-client-body-temp-path=/var/cache/nginx/client_temp
--http-proxy-temp-path=/var/cache/nginx/proxy_temp
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
--http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx
--with-http_ssl_module --with-http_realip_module
--with-http_addition_module --with-http_sub_module --with-http_dav_module
--with-http_flv_module --with-http_mp4_module --with-http_gunzip_module
--with-http_gzip_static_module --with-http_random_index_module
--with-http_secure_link_module --with-http_stub_status_module --with-mail
--with-mail_ssl_module --with-file-aio --with-http_spdy_module
--with-cc-opt='-s -O3 -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -Wno-error=maybe-uninitialized
-Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt=-Wl,-z,relro --with-ipv6
--add-module=/opt/build/naxsi-master/naxsi_src

root at dreamer:~# ldd /usr/sbin/nginx
        linux-vdso.so.1 =>  (0x00007fffb808d000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f6f3cf7a000)
        libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1
(0x00007f6f3cd43000)
        libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6
(0x00007f6f3ca3b000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f6f3c7b9000)
        librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f6f3c5b1000)
        libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3
(0x00007f6f3c373000)
        libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x00007f6f3c113000)
        libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
(0x00007f6f3bd1b000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f6f3bb16000)
        libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f6f3b8ff000)
        libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1
(0x00007f6f3b6e9000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6f3b35d000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f6f3d1a0000)

root at dreamer:~# openssl version
OpenSSL 1.0.1e 11 Feb 2013
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20141016/7c1d9c0a/attachment-0001.html>


More information about the nginx mailing list