You were absolutely correct. It is working now. I changed three things. I
firstly forced TLS 1.0 then changed the directive ssl_protocols to
proxy_ssl_protocols as you suggested. Finally, I restricted to Cipher list
as you also mentioned. I had thought that I would leave all that out and
tie things down when I got it working. I never thought being so liberal
would prevent it from working in the first place. Thanks for your thoughts.

Regards.

On Mon, Jan 12, 2015 at 9:55 AM, Lukas Tribus <luky-37@hotmail.com> wrote:

> > I did an ssldump and this is the conversation between both servers:
>
> This ssldump seems incomplete, there is no response. Please post the
> full ssldump.
>
> The bug is probably neither in openssl nor in nginx, but in the origin
> server (but we don't have the full handshake here).
>
>
> Since nginx 1.5.6, you can configure proxy_ssl_protocols and
> proxy_ssl_ciphers to configure backend ssl traffic, which may
> allows you to workaround certain backend bugs.
>
> Certainly a lot of bogus ciphers are enabled by default in your
> setup (NULL, EXPORT, etc).
>
> If you have nginx>= 1.5.6, you can probably workaround this
> by forcing SSLv3 (which I would not recommend at all):
> proxy_ssl_protocols SSLv3;
>
> But I would rather configure a sane cipher list with
> proxy_ssl_ciphers and see to get it working with it (see [1]).
>
> Try playing with "openssl s_client -cipher <cipherlist>" to find
> a secure and working configuration.
>
>
>
>
> Regards,
>
> Lukas
>
>
> [1]
> https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx