Bug re: openssl-1.0.1

Peter Fraser petros.fraser at gmail.com
Mon Jan 12 21:18:51 UTC 2015


You were absolutely correct. It is working now. I changed three things. I
firstly forced TLS 1.0 then changed the directive ssl_protocols to
proxy_ssl_protocols as you suggested. Finally, I restricted to Cipher list
as you also mentioned. I had thought that I would leave all that out and
tie things down when I got it working. I never thought being so liberal
would prevent it from working in the first place. Thanks for your thoughts.

Regards.

On Mon, Jan 12, 2015 at 9:55 AM, Lukas Tribus <luky-37 at hotmail.com> wrote:

> > I did an ssldump and this is the conversation between both servers:
>
> This ssldump seems incomplete, there is no response. Please post the
> full ssldump.
>
> The bug is probably neither in openssl nor in nginx, but in the origin
> server (but we don't have the full handshake here).
>
>
> Since nginx 1.5.6, you can configure proxy_ssl_protocols and
> proxy_ssl_ciphers to configure backend ssl traffic, which may
> allows you to workaround certain backend bugs.
>
> Certainly a lot of bogus ciphers are enabled by default in your
> setup (NULL, EXPORT, etc).
>
> If you have nginx>= 1.5.6, you can probably workaround this
> by forcing SSLv3 (which I would not recommend at all):
> proxy_ssl_protocols SSLv3;
>
> But I would rather configure a sane cipher list with
> proxy_ssl_ciphers and see to get it working with it (see [1]).
>
> Try playing with "openssl s_client -cipher <cipherlist>" to find
> a secure and working configuration.
>
>
>
>
> Regards,
>
> Lukas
>
>
> [1]
> https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20150112/8ee38739/attachment.html>


More information about the nginx mailing list