Bug re: openssl-1.0.1

Lukas Tribus luky-37 at hotmail.com
Mon Jan 12 17:55:54 UTC 2015

> I did an ssldump and this is the conversation between both servers:

This ssldump seems incomplete, there is no response. Please post the
full ssldump.

The bug is probably neither in openssl nor in nginx, but in the origin
server (but we don't have the full handshake here).

Since nginx 1.5.6, you can configure proxy_ssl_protocols and
proxy_ssl_ciphers to configure backend ssl traffic, which may
allows you to workaround certain backend bugs.

Certainly a lot of bogus ciphers are enabled by default in your
setup (NULL, EXPORT, etc).

If you have nginx>= 1.5.6, you can probably workaround this
by forcing SSLv3 (which I would not recommend at all):
proxy_ssl_protocols SSLv3;

But I would rather configure a sane cipher list with
proxy_ssl_ciphers and see to get it working with it (see [1]).

Try playing with "openssl s_client -cipher <cipherlist>" to find
a secure and working configuration.



[1] https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations


More information about the nginx mailing list