issue with ssl_ciphers not being respected
Jessica Litwin
jessica at litw.in
Fri Oct 17 23:28:50 UTC 2014
using openssl101j, I get the same results with the following in both my
vhost config and nginx.conf
ssl_protocols TLSv1.2 TLSv1.1;
ssl_ciphers
EECDH+aRSA+AESGCM:EECDH+aRSA+AES:EDH+aRSA+AESGCM:EDH+aRSA+AES:DES-CB
C3-SHA:!EXP:!CAMELLIA:!DSS:!MEDIUM:!LOW:!aNULL:!eNULL:!RC4;
ssl_prefer_server_ciphers on;
RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger
ciphers are available.
What the hell am I doing wrong?
On Fri, Oct 17, 2014 at 6:14 AM, itpp2012 <nginx-forum at nginx.us> wrote:
> Scott Larson Wrote:
> -------------------------------------------------------
> > Something else must be going on here. Looking at your ssl_cipher
> > string, you're opening with a rough declaration of specific ciphers
> > you'll
> > support, none of which should pull in RC4. It's specific enough in
> > fact
> > that your subsequent excluded ciphers don't even come into play. To
> > test
> > this I switched in my old RSA cert, rebuilt 1.7.6 against OpenSSL
> > 1.0.1j,
>
> Which is why I said try 101j, between 101e and j there are big differences
> when it comes to invalid fallbacks.
> Not even mentioning using 101e is asking to be hacked.
>
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,254028,254092#msg-254092
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
--
Jessica K. Litwin
jessicalitwin.com
twitter: press5
aim: press5key
skype: dr_jkl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20141017/7ef172b6/attachment.html>
More information about the nginx
mailing list