Welcome! Log In Create A New Profile

Re: issue with ssl_ciphers not being respected

Forum List Message List New Topic Print View

Jessica Litwin

October 16, 2014 01:32PM

Hi,

Everything is loading OK and nginx -t (or service nginx configtest) show
the config is ok and I am testing the correct server.

Another poster suggested upgrading openssl to 1.0.1j but I'd have to build
from source to do that and I'm not sure what affect it would have against
nginx....

On Thu, Oct 16, 2014 at 9:10 AM, Maxim Dounin <mdounin@mdounin.ru> wrote:

> Hello!
>
> On Thu, Oct 16, 2014 at 03:40:44AM -0400, Jessica Litwin wrote:
>
> > Hello
> >
> > I seem to have a bit of a problem. In my vhost's server {}; block, I
> have:
> >
> > ssl_ciphers
> >
> EECDH+aRSA+AESGCM:EECDH+aRSA+AES:EDH+aRSA+AESGCM:EDH+aRSA+AES:DES-CBC3-SHA:!EXP:!CAMELLIA:!DSS:!MEDIUM:!LOW:!aNULL:!eNULL:!RC4;
> > ssl_prefer_server_ciphers on;
> >
> > but for some reason this doesn't seem to be respected because
> ssllabs.com's
> > checker says:
> >
> > "RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger
> > ciphers are available."
> >
> > Testing with openssl s_client shows:
> >
> > SSL-Session:
> > Protocol : TLSv1.2
> > Cipher : ECDHE-RSA-RC4-SHA
> >
> > My ssl_ciphers line _should_ be disallowing all RC4... so I am not sure
> if
> > this is a bug or if I have these options in the wrong place (I tried them
> > in the http{} block for grins with no effect) or if there's something
> > missing from my build. Can someone provide guidance?
>
> Configuring ssl_ciphers at http{} level should be fine - as long
> as it's not overwritten in server{} blocks.
>
> Some thrivial things to check:
>
> - make sure ssl_ciphers isn't overwritten in server{} blocks;
>
> - make sure you've properly reloaded you configuration. If you
> used configuration reload (not nginx restart) - make sure to
> check logs to see if reload went fine, as nginx will revert to a
> previous configuration in case of errors. Additionally, "nginx -t"
> may be helpful here.
>
> - make sure you are testing correct server.
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>

--
Jessica K. Litwin
jessicalitwin.com
twitter: press5
aim: press5key
skype: dr_jkl
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
issue with ssl_ciphers not being respected	Jessica Litwin	October 16, 2014 03:42AM
Re: issue with ssl_ciphers not being respected	itpp2012	October 16, 2014 04:52AM
Re: issue with ssl_ciphers not being respected	Maxim Dounin	October 16, 2014 09:12AM
Re: issue with ssl_ciphers not being respected	Jessica Litwin	October 16, 2014 01:32PM
Re: issue with ssl_ciphers not being respected	mex	October 16, 2014 04:23PM
Re: issue with ssl_ciphers not being respected	Jessica Litwin	October 16, 2014 04:30PM
Re: issue with ssl_ciphers not being respected	Scott Larson	October 16, 2014 04:56PM
Re: issue with ssl_ciphers not being respected	Jessica Litwin	October 16, 2014 05:04PM
Re: issue with ssl_ciphers not being respected	Scott Larson	October 16, 2014 07:38PM
Re: issue with ssl_ciphers not being respected	itpp2012	October 17, 2014 06:14AM
Re: issue with ssl_ciphers not being respected	Jessica Litwin	October 17, 2014 07:30PM
Re: issue with ssl_ciphers not being respected	Scott Larson	October 17, 2014 07:42PM
Re: issue with ssl_ciphers not being respected	Jessica Litwin	October 17, 2014 07:56PM
Re: issue with ssl_ciphers not being respected	Jessica Litwin	October 17, 2014 08:18PM
Re: issue with ssl_ciphers not being respected	mex	October 18, 2014 05:59AM
Re: issue with ssl_ciphers not being respected	mex	October 16, 2014 05:02PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 295

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018