On 3 Oct2013, at 16:36 , Sergey Budnevitch <s...@nginx.com> wrote: > > On 2 Oct2013, at 15:08 , Vahan Yerkanian <va...@helix.am> wrote: > >> On Oct 2, 2013, at 9:57 AM, justin <nginx-fo...@nginx.us> wrote: >> >>> I don't compile nginx, I get it from the official CentOS repo: >>> >>> [nginx] >>> name=nginx repo >>> baseurl=http://nginx.org/packages/centos/6/$basearch/ >>> gpgcheck=0 >>> enabled=1 >>> >> >> That's your problem, that version doesn't support ECDHE. > > nginx itself has no ciphers support, it depend on openssl. > RHEL/CentOS version of openssl lacks elliptic curve ciphers, > it is explicitly striped from rpm > (https://bugzilla.redhat.com/show_bug.cgi?id=319901), > and ECDHE is unavailable on RHEL/CentOS with default openssl. > So either change/rebuild openssl rpm,
It is neccesary to rebuild nginx too, openssl replacement along is not sufficient. > rebuild nginx with > statically linked openssl or use another linux distribution. > > You could list and check available ciphers by: > openssl cipher -v BTW, DHE also provides forward secrecy, but it is slow. _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
