issue with ssl_ciphers not being respected
Jessica Litwin
jessica at litw.in
Thu Oct 16 17:31:06 UTC 2014
Hi,
Everything is loading OK and nginx -t (or service nginx configtest) show
the config is ok and I am testing the correct server.
Another poster suggested upgrading openssl to 1.0.1j but I'd have to build
from source to do that and I'm not sure what affect it would have against
nginx....
On Thu, Oct 16, 2014 at 9:10 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> Hello!
>
> On Thu, Oct 16, 2014 at 03:40:44AM -0400, Jessica Litwin wrote:
>
> > Hello
> >
> > I seem to have a bit of a problem. In my vhost's server {}; block, I
> have:
> >
> > ssl_ciphers
> >
> EECDH+aRSA+AESGCM:EECDH+aRSA+AES:EDH+aRSA+AESGCM:EDH+aRSA+AES:DES-CBC3-SHA:!EXP:!CAMELLIA:!DSS:!MEDIUM:!LOW:!aNULL:!eNULL:!RC4;
> > ssl_prefer_server_ciphers on;
> >
> > but for some reason this doesn't seem to be respected because
> ssllabs.com's
> > checker says:
> >
> > "RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger
> > ciphers are available."
> >
> > Testing with openssl s_client shows:
> >
> > SSL-Session:
> > Protocol : TLSv1.2
> > Cipher : ECDHE-RSA-RC4-SHA
> >
> > My ssl_ciphers line _should_ be disallowing all RC4... so I am not sure
> if
> > this is a bug or if I have these options in the wrong place (I tried them
> > in the http{} block for grins with no effect) or if there's something
> > missing from my build. Can someone provide guidance?
>
> Configuring ssl_ciphers at http{} level should be fine - as long
> as it's not overwritten in server{} blocks.
>
> Some thrivial things to check:
>
> - make sure ssl_ciphers isn't overwritten in server{} blocks;
>
> - make sure you've properly reloaded you configuration. If you
> used configuration reload (not nginx restart) - make sure to
> check logs to see if reload went fine, as nginx will revert to a
> previous configuration in case of errors. Additionally, "nginx -t"
> may be helpful here.
>
> - make sure you are testing correct server.
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
--
Jessica K. Litwin
jessicalitwin.com
twitter: press5
aim: press5key
skype: dr_jkl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20141016/608a05a7/attachment.html>
More information about the nginx
mailing list