Welcome! Log In Create A New Profile

Advanced

Re: issue with ssl_ciphers not being respected

Jessica Litwin
October 16, 2014 01:32PM
Hi,

Everything is loading OK and nginx -t (or service nginx configtest) show
the config is ok and I am testing the correct server.

Another poster suggested upgrading openssl to 1.0.1j but I'd have to build
from source to do that and I'm not sure what affect it would have against
nginx....

On Thu, Oct 16, 2014 at 9:10 AM, Maxim Dounin <mdounin@mdounin.ru> wrote:

> Hello!
>
> On Thu, Oct 16, 2014 at 03:40:44AM -0400, Jessica Litwin wrote:
>
> > Hello
> >
> > I seem to have a bit of a problem. In my vhost's server {}; block, I
> have:
> >
> > ssl_ciphers
> >
> EECDH+aRSA+AESGCM:EECDH+aRSA+AES:EDH+aRSA+AESGCM:EDH+aRSA+AES:DES-CBC3-SHA:!EXP:!CAMELLIA:!DSS:!MEDIUM:!LOW:!aNULL:!eNULL:!RC4;
> > ssl_prefer_server_ciphers on;
> >
> > but for some reason this doesn't seem to be respected because
> ssllabs.com's
> > checker says:
> >
> > "RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger
> > ciphers are available."
> >
> > Testing with openssl s_client shows:
> >
> > SSL-Session:
> > Protocol : TLSv1.2
> > Cipher : ECDHE-RSA-RC4-SHA
> >
> > My ssl_ciphers line _should_ be disallowing all RC4... so I am not sure
> if
> > this is a bug or if I have these options in the wrong place (I tried them
> > in the http{} block for grins with no effect) or if there's something
> > missing from my build. Can someone provide guidance?
>
> Configuring ssl_ciphers at http{} level should be fine - as long
> as it's not overwritten in server{} blocks.
>
> Some thrivial things to check:
>
> - make sure ssl_ciphers isn't overwritten in server{} blocks;
>
> - make sure you've properly reloaded you configuration. If you
> used configuration reload (not nginx restart) - make sure to
> check logs to see if reload went fine, as nginx will revert to a
> previous configuration in case of errors. Additionally, "nginx -t"
> may be helpful here.
>
> - make sure you are testing correct server.
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



--
Jessica K. Litwin
jessicalitwin.com
twitter: press5
aim: press5key
skype: dr_jkl
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

issue with ssl_ciphers not being respected

Jessica Litwin October 16, 2014 03:42AM

Re: issue with ssl_ciphers not being respected

itpp2012 October 16, 2014 04:52AM

Re: issue with ssl_ciphers not being respected

Maxim Dounin October 16, 2014 09:12AM

Re: issue with ssl_ciphers not being respected

Jessica Litwin October 16, 2014 01:32PM

Re: issue with ssl_ciphers not being respected

mex October 16, 2014 04:23PM

Re: issue with ssl_ciphers not being respected

Jessica Litwin October 16, 2014 04:30PM

Re: issue with ssl_ciphers not being respected

Scott Larson October 16, 2014 04:56PM

Re: issue with ssl_ciphers not being respected

Jessica Litwin October 16, 2014 05:04PM

Re: issue with ssl_ciphers not being respected

Scott Larson October 16, 2014 07:38PM

Re: issue with ssl_ciphers not being respected

itpp2012 October 17, 2014 06:14AM

Re: issue with ssl_ciphers not being respected

Jessica Litwin October 17, 2014 07:30PM

Re: issue with ssl_ciphers not being respected

Scott Larson October 17, 2014 07:42PM

Re: issue with ssl_ciphers not being respected

Jessica Litwin October 17, 2014 07:56PM

Re: issue with ssl_ciphers not being respected

Jessica Litwin October 17, 2014 08:18PM

Re: issue with ssl_ciphers not being respected

mex October 18, 2014 05:59AM

Re: issue with ssl_ciphers not being respected

mex October 16, 2014 05:02PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 71
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready