Welcome! Log In Create A New Profile

Advanced

Re: openssl 1.0.1 and tls1.1 and up

Previous Message Next Message
Forum List Message List New Topic Print View
Nemesiz
April 16, 2014 09:42AM
I found where the problems was. I thought ssl options can be different in virtual host. Default server settings was not overwritten.

server {
include conf/default-settings;

root /var/www;
server_name "";

ssl on;
ssl_certificate ssl/nmz_ssl.crt;
ssl_certificate_key ssl/nmz_ssl.key;

ssl_session_timeout 5m;

ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;

location / {
try_files $uri $uri/ =404;
}

location /smokeping/ {
proxy_pass http://10.10.10.2/smokeping/;
}
}

Others servers:
server {
include conf/default-site-ssl;
include conf/default-settings;
ssl_certificate /etc/nginx/ssl/host.pem;
ssl_certificate_key /etc/nginx/ssl/host.key;
....


conf/default-site-ssl :

listen 443 ssl;
ssl on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";


nginx -t did not show any error.

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols

So some ssl options cannot be overwritten ?
Reply Quote
RSS
Subject Author Posted

openssl 1.0.1 and tls1.1 and up

Nemesiz April 15, 2014 08:31AM

Re: openssl 1.0.1 and tls1.1 and up

Miguel Clara April 15, 2014 09:34AM

Re: openssl 1.0.1 and tls1.1 and up

Miguel Clara April 15, 2014 09:42AM

Re: openssl 1.0.1 and tls1.1 and up

mex April 15, 2014 02:04PM

Re: openssl 1.0.1 and tls1.1 and up

Nemesiz April 16, 2014 06:35AM

Re: openssl 1.0.1 and tls1.1 and up

Maxim Dounin April 16, 2014 06:42AM

Re: openssl 1.0.1 and tls1.1 and up

Nemesiz April 16, 2014 07:03AM

Re: openssl 1.0.1 and tls1.1 and up

B.R. April 16, 2014 08:10AM

Re: openssl 1.0.1 and tls1.1 and up

kyprizel April 16, 2014 08:20AM

Re: openssl 1.0.1 and tls1.1 and up

Nemesiz April 16, 2014 09:13AM

Re: openssl 1.0.1 and tls1.1 and up

Nemesiz April 16, 2014 09:42AM

Re: openssl 1.0.1 and tls1.1 and up

Valentin V. Bartenev April 16, 2014 09:38AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 236
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready