HTTP/2 without forward secrecy (Diffie-Hellman)
Max Meyer
redeemerofsouls666 at web.de
Mon Aug 15 12:32:46 UTC 2016
Hi,
for a test environment I successfully set up an nginx webserver (1.11.2)
with HTTP/2.
But for further tests I need to decrypt traffic with wireshark using the
servers private key.
For that I need to disable forward secrecy (since it is only a test
environment security is not an issue)
So I changed the "ssl_ciphers" in my /sites-enabled/default file from:
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
into
ssl_ciphers "AES128-SHA";
So my configuration looks like this:
-----
server {
listen 443 http2;
root /var/www/html;
index index.php index.html index.htm;
ssl on;
ssl_certificate /etc/ssl/server.crt;
ssl_certificate_key /etc/ssl/private.key;
ssl_protocols TLSv1.2;
# ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_ciphers "AES128-SHA";
ssl_prefer_server_ciphers on;
}
-----
But now the server won't do HTTP/2 anymore, it falls back to HTTP/1.1.
I tried the same with an Apache webserver and it worked fine, so I guess
it is not a general problem with the chosen cipher.
Any ideas on what could be the problem?
thanks!
More information about the nginx
mailing list