issue with ssl_ciphers not being respected

itpp2012 nginx-forum at
Fri Oct 17 10:14:24 UTC 2014

Scott Larson Wrote:
> Something else must be going on here. Looking at your ssl_cipher
> string, you're opening with a rough declaration of specific ciphers
> you'll
> support, none of which should pull in RC4. It's specific enough in
> fact
> that your subsequent excluded ciphers don't even come into play. To
> test
> this I switched in my old RSA cert, rebuilt 1.7.6 against OpenSSL
> 1.0.1j,

Which is why I said try 101j, between 101e and j there are big differences
when it comes to invalid fallbacks.
Not even mentioning using 101e is asking to be hacked.

Posted at Nginx Forum:,254028,254092#msg-254092

More information about the nginx mailing list