Lukas Tribus
January 12, 2015 12:58PM
> I did an ssldump and this is the conversation between both servers:

This ssldump seems incomplete, there is no response. Please post the
full ssldump.

The bug is probably neither in openssl nor in nginx, but in the origin
server (but we don't have the full handshake here).


Since nginx 1.5.6, you can configure proxy_ssl_protocols and
proxy_ssl_ciphers to configure backend ssl traffic, which may
allows you to workaround certain backend bugs.

Certainly a lot of bogus ciphers are enabled by default in your
setup (NULL, EXPORT, etc).

If you have nginx>= 1.5.6, you can probably workaround this
by forcing SSLv3 (which I would not recommend at all):
proxy_ssl_protocols SSLv3;

But I would rather configure a sane cipher list with
proxy_ssl_ciphers and see to get it working with it (see [1]).

Try playing with "openssl s_client -cipher <cipherlist>" to find
a secure and working configuration.




Regards,

Lukas


[1] https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations


_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Bug re: openssl-1.0.1

Peter Fraser January 06, 2015 04:40PM

RE: Bug re: openssl-1.0.1

Lukas Tribus January 06, 2015 05:10PM

Re: Bug re: openssl-1.0.1

Peter Fraser January 06, 2015 05:48PM

RE: Bug re: openssl-1.0.1

Lukas Tribus January 06, 2015 07:58PM

RE: Bug re: openssl-1.0.1

Lukas Tribus January 06, 2015 08:14PM

Re: Bug re: openssl-1.0.1

Peter Fraser January 12, 2015 12:22PM

RE: Bug re: openssl-1.0.1

Lukas Tribus January 12, 2015 12:58PM

Re: Bug re: openssl-1.0.1

Peter Fraser January 12, 2015 04:20PM

Re: Bug re: openssl-1.0.1

Peter Fraser January 12, 2015 11:00AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 183
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready