Welcome! Log In Create A New Profile

Advanced

Re: issue with ssl_ciphers not being respected

Maxim Dounin
October 16, 2014 09:12AM
Hello!

On Thu, Oct 16, 2014 at 03:40:44AM -0400, Jessica Litwin wrote:

> Hello
>
> I seem to have a bit of a problem. In my vhost's server {}; block, I have:
>
> ssl_ciphers
> EECDH+aRSA+AESGCM:EECDH+aRSA+AES:EDH+aRSA+AESGCM:EDH+aRSA+AES:DES-CBC3-SHA:!EXP:!CAMELLIA:!DSS:!MEDIUM:!LOW:!aNULL:!eNULL:!RC4;
> ssl_prefer_server_ciphers on;
>
> but for some reason this doesn't seem to be respected because ssllabs.com's
> checker says:
>
> "RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger
> ciphers are available."
>
> Testing with openssl s_client shows:
>
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-RC4-SHA
>
> My ssl_ciphers line _should_ be disallowing all RC4... so I am not sure if
> this is a bug or if I have these options in the wrong place (I tried them
> in the http{} block for grins with no effect) or if there's something
> missing from my build. Can someone provide guidance?

Configuring ssl_ciphers at http{} level should be fine - as long
as it's not overwritten in server{} blocks.

Some thrivial things to check:

- make sure ssl_ciphers isn't overwritten in server{} blocks;

- make sure you've properly reloaded you configuration. If you
used configuration reload (not nginx restart) - make sure to
check logs to see if reload went fine, as nginx will revert to a
previous configuration in case of errors. Additionally, "nginx -t"
may be helpful here.

- make sure you are testing correct server.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

issue with ssl_ciphers not being respected

Jessica Litwin October 16, 2014 03:42AM

Re: issue with ssl_ciphers not being respected

itpp2012 October 16, 2014 04:52AM

Re: issue with ssl_ciphers not being respected

Maxim Dounin October 16, 2014 09:12AM

Re: issue with ssl_ciphers not being respected

Jessica Litwin October 16, 2014 01:32PM

Re: issue with ssl_ciphers not being respected

mex October 16, 2014 04:23PM

Re: issue with ssl_ciphers not being respected

Jessica Litwin October 16, 2014 04:30PM

Re: issue with ssl_ciphers not being respected

Scott Larson October 16, 2014 04:56PM

Re: issue with ssl_ciphers not being respected

Jessica Litwin October 16, 2014 05:04PM

Re: issue with ssl_ciphers not being respected

Scott Larson October 16, 2014 07:38PM

Re: issue with ssl_ciphers not being respected

itpp2012 October 17, 2014 06:14AM

Re: issue with ssl_ciphers not being respected

Jessica Litwin October 17, 2014 07:30PM

Re: issue with ssl_ciphers not being respected

Scott Larson October 17, 2014 07:42PM

Re: issue with ssl_ciphers not being respected

Jessica Litwin October 17, 2014 07:56PM

Re: issue with ssl_ciphers not being respected

Jessica Litwin October 17, 2014 08:18PM

Re: issue with ssl_ciphers not being respected

mex October 18, 2014 05:59AM

Re: issue with ssl_ciphers not being respected

mex October 16, 2014 05:02PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 175
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready