Welcome! Log In Create A New Profile

Advanced

issue with ssl_ciphers not being respected

Jessica Litwin
October 16, 2014 03:42AM
Hello

I seem to have a bit of a problem. In my vhost's server {}; block, I have:

ssl_ciphers
EECDH+aRSA+AESGCM:EECDH+aRSA+AES:EDH+aRSA+AESGCM:EDH+aRSA+AES:DES-CBC3-SHA:!EXP:!CAMELLIA:!DSS:!MEDIUM:!LOW:!aNULL:!eNULL:!RC4;
ssl_prefer_server_ciphers on;

but for some reason this doesn't seem to be respected because ssllabs.com's
checker says:

"RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger
ciphers are available."

Testing with openssl s_client shows:

SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-RC4-SHA

My ssl_ciphers line _should_ be disallowing all RC4... so I am not sure if
this is a bug or if I have these options in the wrong place (I tried them
in the http{} block for grins with no effect) or if there's something
missing from my build. Can someone provide guidance?

TIA.

-jkl


root@dreamer:~# which nginx
/usr/sbin/nginx

root@dreamer:~# /usr/sbin/nginx -V
nginx version: nginx/1.7.6
built by gcc 4.7.2 (Debian 4.7.2-5)
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx --with-http_ssl_module
--with-http_gzip_static_module --with-http_stub_status_module
--with-cc-opt=-Wno-error
--add-module=/usr/local/rvm/gems/ruby-2.1.3/gems/passenger-4.0.53/ext/nginx
--sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf
--error-log-path=/var/log/nginx/error.log
--http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid
--lock-path=/var/run/nginx.lock
--http-client-body-temp-path=/var/cache/nginx/client_temp
--http-proxy-temp-path=/var/cache/nginx/proxy_temp
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
--http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx
--with-http_ssl_module --with-http_realip_module
--with-http_addition_module --with-http_sub_module --with-http_dav_module
--with-http_flv_module --with-http_mp4_module --with-http_gunzip_module
--with-http_gzip_static_module --with-http_random_index_module
--with-http_secure_link_module --with-http_stub_status_module --with-mail
--with-mail_ssl_module --with-file-aio --with-http_spdy_module
--with-cc-opt='-s -O3 -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -Wno-error=maybe-uninitialized
-Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt=-Wl,-z,relro --with-ipv6
--add-module=/opt/build/naxsi-master/naxsi_src

root@dreamer:~# ldd /usr/sbin/nginx
linux-vdso.so.1 => (0x00007fffb808d000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f6f3cf7a000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1
(0x00007f6f3cd43000)
libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6
(0x00007f6f3ca3b000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f6f3c7b9000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f6f3c5b1000)
libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3
(0x00007f6f3c373000)
libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x00007f6f3c113000)
libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
(0x00007f6f3bd1b000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f6f3bb16000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f6f3b8ff000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1
(0x00007f6f3b6e9000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6f3b35d000)
/lib64/ld-linux-x86-64.so.2 (0x00007f6f3d1a0000)

root@dreamer:~# openssl version
OpenSSL 1.0.1e 11 Feb 2013
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

issue with ssl_ciphers not being respected

Jessica Litwin October 16, 2014 03:42AM

Re: issue with ssl_ciphers not being respected

itpp2012 October 16, 2014 04:52AM

Re: issue with ssl_ciphers not being respected

Maxim Dounin October 16, 2014 09:12AM

Re: issue with ssl_ciphers not being respected

Jessica Litwin October 16, 2014 01:32PM

Re: issue with ssl_ciphers not being respected

mex October 16, 2014 04:23PM

Re: issue with ssl_ciphers not being respected

Jessica Litwin October 16, 2014 04:30PM

Re: issue with ssl_ciphers not being respected

Scott Larson October 16, 2014 04:56PM

Re: issue with ssl_ciphers not being respected

Jessica Litwin October 16, 2014 05:04PM

Re: issue with ssl_ciphers not being respected

Scott Larson October 16, 2014 07:38PM

Re: issue with ssl_ciphers not being respected

itpp2012 October 17, 2014 06:14AM

Re: issue with ssl_ciphers not being respected

Jessica Litwin October 17, 2014 07:30PM

Re: issue with ssl_ciphers not being respected

Scott Larson October 17, 2014 07:42PM

Re: issue with ssl_ciphers not being respected

Jessica Litwin October 17, 2014 07:56PM

Re: issue with ssl_ciphers not being respected

Jessica Litwin October 17, 2014 08:18PM

Re: issue with ssl_ciphers not being respected

mex October 18, 2014 05:59AM

Re: issue with ssl_ciphers not being respected

mex October 16, 2014 05:02PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 108
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready