Welcome! Log In Create A New Profile

Advanced

TLS 1.2 ciphers

August 21, 2013 01:19PM
Chrome 29 came out recently and now supports TLS 1.2. So i decided to add some of the new TLS 1.2 ciphers to my webserver, which are specified here: https://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites.

My current setup is: Ubuntu 10.04, Nginx 1.5.3 ,OpenSSL 1.0.1e (build myself)
Config file:

server {
listen 80;
server_name sherbers.de;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl spdy default_server;
server_name sherbers.de;

ssl_certificate /etc/ssl/private/hosteurope/www.sherbers.de.pem;
ssl_certificate_key /etc/ssl/private/hosteurope/www.sherbers.de.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

As you can see i only use ciphers with perfect forward secrecy, because why not. When i connect to my webserver chrome shows it is using TLS 1.2 but as a cipher it using ECDHE-RSA, which it was using before too when i only offered TLS 1.1, without any of the ECDHE-ECDSA ciphers.

Any idea why nginx doesn't offers the new cipers?

Additional information:

- An ssl check at https://sslcheck.globalsign.com doesn't list any of the ECDHE-ECDSA ciphers
- "openssl ciphers -v | grep ECDHE-ECDSA" outputs the following:
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
ECDHE-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1
SubjectAuthorPosted

TLS 1.2 ciphers

stephan13360August 21, 2013 01:19PM

Re: TLS 1.2 ciphers

Maxim DouninAugust 21, 2013 02:02PM

Re: TLS 1.2 ciphers

stephan13360August 21, 2013 02:07PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 94
Record Number of Users: 5 on December 17, 2014
Record Number of Guests: 154 on December 17, 2014
Powered by nginx    Powered by FreeBSD    PHP Powered    Powered by Percona     ipv6 ready