issue with ssl_ciphers not being respected
Maxim Dounin
mdounin at mdounin.ru
Thu Oct 16 13:10:13 UTC 2014
Hello!
On Thu, Oct 16, 2014 at 03:40:44AM -0400, Jessica Litwin wrote:
> Hello
>
> I seem to have a bit of a problem. In my vhost's server {}; block, I have:
>
> ssl_ciphers
> EECDH+aRSA+AESGCM:EECDH+aRSA+AES:EDH+aRSA+AESGCM:EDH+aRSA+AES:DES-CBC3-SHA:!EXP:!CAMELLIA:!DSS:!MEDIUM:!LOW:!aNULL:!eNULL:!RC4;
> ssl_prefer_server_ciphers on;
>
> but for some reason this doesn't seem to be respected because ssllabs.com's
> checker says:
>
> "RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger
> ciphers are available."
>
> Testing with openssl s_client shows:
>
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-RC4-SHA
>
> My ssl_ciphers line _should_ be disallowing all RC4... so I am not sure if
> this is a bug or if I have these options in the wrong place (I tried them
> in the http{} block for grins with no effect) or if there's something
> missing from my build. Can someone provide guidance?
Configuring ssl_ciphers at http{} level should be fine - as long
as it's not overwritten in server{} blocks.
Some thrivial things to check:
- make sure ssl_ciphers isn't overwritten in server{} blocks;
- make sure you've properly reloaded you configuration. If you
used configuration reload (not nginx restart) - make sure to
check logs to see if reload went fine, as nginx will revert to a
previous configuration in case of errors. Additionally, "nginx -t"
may be helpful here.
- make sure you are testing correct server.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list