issue with ssl_ciphers not being respected

Jessica Litwin jessica at litw.in
Thu Oct 16 21:03:06 UTC 2014


I can do this, but I guess my whole question was does this mean exclusion
bits are broken?
     I'm personally partial to just outright declaring my supported ciphers
rather than using the exclusion bits. My personal server is aggressively
strict, the setup for our production gear is much less so. Either way it
allows me to know exactly what's available to clients.

For lunatics with DSA keys and LibreSSL:

     ssl_ciphers
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256;

For more rational people with RSA keys and OpenSSL:

     ssl_ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA;




*__________________Scott LarsonSystems AdministratorWiredrive/LA310 823
8238 ext. 1106310 943 2078 faxwww.wiredrive.com
<http://www.wiredrive.com/>www.twitter.com/wiredrive
<http://www.twitter.com/wiredrive>www.facebook.com/wiredrive
<http://www.wiredrive.com/facebook>*

On Thu, Oct 16, 2014 at 1:28 PM, Jessica Litwin <jessica at litw.in> wrote:

> I'm sure. I'm very, very sure the correct site is being tested.
>
> On Thu, Oct 16, 2014 at 4:23 PM, mex <nginx-forum at nginx.us> wrote:
>
>> hi,
>>
>> > >
>> > > - make sure you are testing correct server.
>> > >
>>
>>
>> i'd suggest to configure an additional access/error-log
>> in that server {}  -  block, to be 100% sure.
>>
>>
>> regards,
>>
>>
>> mex
>>
>> Posted at Nginx Forum:
>> http://forum.nginx.org/read.php?2,254028,254077#msg-254077
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
>
> --
> Jessica K. Litwin
> jessicalitwin.com
> twitter: press5
> aim: press5key
> skype: dr_jkl
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>


_______________________________________________
nginx mailing list
nginx at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20141016/71005fac/attachment-0001.html>


More information about the nginx mailing list