Welcome! Log In Create A New Profile

Advanced

Re: issue with ssl_ciphers not being respected

Scott Larson
October 17, 2014 07:42PM
Just to be thorough, are you sure nginx is actually using the config file that you think it is? If we’re talking about your personal domain I see TLS 1.0 and SSL 3.0 available which in this snippet you have not enabled. This behavior isn’t something I’m able to replicate with the 1.7.6/1.0.1i combo.

__________________

Scott Larson
Systems Administrator

Wiredrive/LA
310 823 8238 ext. 1106
310 943 2078 fax
www.wiredrive.com http://www.wiredrive.com/
www.twitter.com/wiredrive http://www.twitter.com/wiredrive
www.facebook.com/wiredrive http://www.wiredrive.com/facebook
> On Oct 17, 2014, at 4:28 PM, Jessica Litwin <jessica@litw.in> wrote:
>
> using openssl101j, I get the same results with the following in both my vhost config and nginx.conf
>
> ssl_protocols TLSv1.2 TLSv1.1;
> ssl_ciphers EECDH+aRSA+AESGCM:EECDH+aRSA+AES:EDH+aRSA+AESGCM:EDH+aRSA+AES:DES-CB
> C3-SHA:!EXP:!CAMELLIA:!DSS:!MEDIUM:!LOW:!aNULL:!eNULL:!RC4;
> ssl_prefer_server_ciphers on;
>
> RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger ciphers are available.
>
> What the hell am I doing wrong?
>
> On Fri, Oct 17, 2014 at 6:14 AM, itpp2012 <nginx-forum@nginx.us <mailto:nginx-forum@nginx.us>> wrote:
> Scott Larson Wrote:
> -------------------------------------------------------
> > Something else must be going on here. Looking at your ssl_cipher
> > string, you're opening with a rough declaration of specific ciphers
> > you'll
> > support, none of which should pull in RC4. It's specific enough in
> > fact
> > that your subsequent excluded ciphers don't even come into play. To
> > test
> > this I switched in my old RSA cert, rebuilt 1.7.6 against OpenSSL
> > 1.0.1j,
>
> Which is why I said try 101j, between 101e and j there are big differences
> when it comes to invalid fallbacks.
> Not even mentioning using 101e is asking to be hacked.
>
> Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254028,254092#msg-254092 <http://forum.nginx.org/read.php?2,254028,254092#msg-254092>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org <mailto:nginx@nginx.org>
> http://mailman.nginx.org/mailman/listinfo/nginx http://mailman.nginx.org/mailman/listinfo/nginx
>
>
>
> --
> Jessica K. Litwin
> jessicalitwin.com http://jessicalitwin.com/
> twitter: press5
> aim: press5key
> skype: dr_jkl
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

issue with ssl_ciphers not being respected

Jessica Litwin October 16, 2014 03:42AM

Re: issue with ssl_ciphers not being respected

itpp2012 October 16, 2014 04:52AM

Re: issue with ssl_ciphers not being respected

Maxim Dounin October 16, 2014 09:12AM

Re: issue with ssl_ciphers not being respected

Jessica Litwin October 16, 2014 01:32PM

Re: issue with ssl_ciphers not being respected

mex October 16, 2014 04:23PM

Re: issue with ssl_ciphers not being respected

Jessica Litwin October 16, 2014 04:30PM

Re: issue with ssl_ciphers not being respected

Scott Larson October 16, 2014 04:56PM

Re: issue with ssl_ciphers not being respected

Jessica Litwin October 16, 2014 05:04PM

Re: issue with ssl_ciphers not being respected

Scott Larson October 16, 2014 07:38PM

Re: issue with ssl_ciphers not being respected

itpp2012 October 17, 2014 06:14AM

Re: issue with ssl_ciphers not being respected

Jessica Litwin October 17, 2014 07:30PM

Re: issue with ssl_ciphers not being respected

Scott Larson October 17, 2014 07:42PM

Re: issue with ssl_ciphers not being respected

Jessica Litwin October 17, 2014 07:56PM

Re: issue with ssl_ciphers not being respected

Jessica Litwin October 17, 2014 08:18PM

Re: issue with ssl_ciphers not being respected

mex October 18, 2014 05:59AM

Re: issue with ssl_ciphers not being respected

mex October 16, 2014 05:02PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 82
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready