issue with ssl_ciphers not being respected
Jessica Litwin
jessica at litw.in
Sat Oct 18 00:17:36 UTC 2014
This was fun...
I found a subdomain's vhost was allowing RC4, and fixing that the RC4 alert
go away for scanning the main site. I think this might be an issue with the
way the Qualys scanner works. Thank you all for helping & kudos to Scott
Larson for putting up with me :)
-jkl
On Fri, Oct 17, 2014 at 7:41 PM, Scott Larson <stl at wiredrive.com> wrote:
> Just to be thorough, are you sure nginx is actually using the config
> file that you think it is? If we’re talking about your personal domain I
> see TLS 1.0 and SSL 3.0 available which in this snippet you have not
> enabled. This behavior isn’t something I’m able to replicate with the
> 1.7.6/1.0.1i combo.
>
>
>
> *__________________Scott LarsonSystems AdministratorWiredrive/LA310 823
> 8238 ext. 1106 <310%20823%208238%20ext.%201106>310 943 2078
> <310%20943%202078> faxwww.wiredrive.com
> <http://www.wiredrive.com/>www.twitter.com/wiredrive
> <http://www.twitter.com/wiredrive>www.facebook.com/wiredrive
> <http://www.wiredrive.com/facebook>*
>
> On Oct 17, 2014, at 4:28 PM, Jessica Litwin <jessica at litw.in> wrote:
>
> using openssl101j, I get the same results with the following in both my
> vhost config and nginx.conf
>
> ssl_protocols TLSv1.2 TLSv1.1;
> ssl_ciphers
> EECDH+aRSA+AESGCM:EECDH+aRSA+AES:EDH+aRSA+AESGCM:EDH+aRSA+AES:DES-CB
> C3-SHA:!EXP:!CAMELLIA:!DSS:!MEDIUM:!LOW:!aNULL:!eNULL:!RC4;
> ssl_prefer_server_ciphers on;
>
> RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger
> ciphers are available.
>
> What the hell am I doing wrong?
>
> On Fri, Oct 17, 2014 at 6:14 AM, itpp2012 <nginx-forum at nginx.us> wrote:
>
>> Scott Larson Wrote:
>> -------------------------------------------------------
>> > Something else must be going on here. Looking at your ssl_cipher
>> > string, you're opening with a rough declaration of specific ciphers
>> > you'll
>> > support, none of which should pull in RC4. It's specific enough in
>> > fact
>> > that your subsequent excluded ciphers don't even come into play. To
>> > test
>> > this I switched in my old RSA cert, rebuilt 1.7.6 against OpenSSL
>> > 1.0.1j,
>>
>> Which is why I said try 101j, between 101e and j there are big differences
>> when it comes to invalid fallbacks.
>> Not even mentioning using 101e is asking to be hacked.
>>
>> Posted at Nginx Forum:
>> http://forum.nginx.org/read.php?2,254028,254092#msg-254092
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
>
> --
> Jessica K. Litwin
> jessicalitwin.com
> twitter: press5
> aim: press5key
> skype: dr_jkl
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
--
Jessica K. Litwin
jessicalitwin.com
twitter: press5
aim: press5key
skype: dr_jkl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20141017/f3fb66ce/attachment.html>
More information about the nginx
mailing list