http2 ciphers question on correct order /availability

Sophie Loewenthal sophie at
Tue Jan 23 10:27:39 UTC 2018


Did I add or remove the wrong ciphers for http2, and are they in the correct order?  I found plenty of different documents on the Internet. Since mine is now broken, I should ask here :) Any ideas?

Error message from Chrome:

My nginx.conf has,

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_session_cache shared:SSL:15m;
        ssl_session_timeout 1d;
        ssl_session_tickets off;
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;

The vhost has http2 switched on with TLS 1.2 only:

server {
   listen 443 ssl http2;


   ssl_prefer_server_ciphers On;
   ssl_protocols TLSv1.2;
   ssl_session_timeout       8m;
   ssl_ecdh_curve            secp521r1;


   add_header X-Content-Type-Options nosniff;
   add_header X-Frame-Options SAMEORIGIN;
   add_header X-Content-Type-Options nosniff;
   add_header X-XSS-Protection "1; mode=block";
   add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
   add_header Referrer-Policy "no-referrer";



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list