I should clarify the the default for ssl_protocols is fine, to my environment since we need to support SSLv3, if you don't I suggest make it safer: ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
On Tue, Apr 15, 2014 at 2:31 PM, Miguel Clara <[email protected]>wrote: > > I have an nginx 1.5 install where I don't set the ssl_protocols, because, > the defaults are fine: > ---> "Since versions 1.1.13 and 1.0.12, nginx uses “ssl_protocols SSLv3 > TLSv1 TLSv1.1 TLSv1.2” by default." > > > This is what I have find to be the best for ciphers, SSLLABS seems to like > it, I would even set !RC4, but we need to still support it in this specific > server. > > > # ciphers > ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM > EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 > EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK > !SRP !DSS"; > > > > > > > > On Tue, Apr 15, 2014 at 1:31 PM, Nemesiz <[email protected]> wrote: > >> Hello >> >> I`m struggling with enabling tls1.1 and tls1.2. Some info: >> >> NGINX: >> >> # nginx -V >> nginx version: nginx/1.5.13 >> built by gcc 4.8.1 (Ubuntu/Linaro 4.8.1-10ubuntu9) >> TLS SNI support enabled >> configure arguments: --prefix=/usr/local/nginx/1.5.13 >> --conf-path=/etc/nginx/nginx.conf >> --error-log-path=/var/log/nginx/error.log >> --http-client-body-temp-path=/var/lib/nginx/body >> --http-fastcgi-temp-path=/var/lib/nginx/fastcgi >> --http-log-path=/var/log/nginx/access.log >> --http-proxy-temp-path=/var/lib/nginx/proxy >> --http-scgi-temp-path=/var/lib/nginx/scgi >> --http-uwsgi-temp-path=/var/lib/nginx/uwsgi >> --lock-path=/var/lock/nginx.lock >> --pid-path=/run/nginx.pid --with-pcre-jit --with-debug >> --with-http_addition_module --with-http_auth_request_module >> --with-http_dav_module --with-http_geoip_module >> --with-http_gzip_static_module --with-http_image_filter_module >> --with-http_realip_module --with-http_spdy_module --with-http_ssl_module >> --with-http_stub_status_module --with-http_sub_module >> --with-http_xslt_module --with-ipv6 >> --add-module=/usr/src/nginx-modules/nginx-openssl-version >> --add-module=/usr/src/nginx-modules/testcookie-nginx-module >> --with-pcre=/usr/src/nginx-modules/pcre-8.35 >> --with-openssl=/usr/src/nginx-modules/openssl-1.0.1g >> >> SSL settings: >> >> ssl_session_cache shared:SSL:50m; >> ssl_session_timeout 5m; >> ssl_dhparam /etc/nginx/ssl/dhparam.pem; >> ssl_prefer_server_ciphers on; >> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; >> ssl_ciphers >> >> 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK'; >> add_header Strict-Transport-Security "max-age=31536000; >> includeSubdomains;"; >> >> >> https://www.ssllabs.com/ssltest/ results: >> >> Protocols >> TLS 1.2 No >> TLS 1.1 No >> TLS 1.0 Yes >> SSL 3 Yes >> SSL 2 No >> >> Any hint ? >> >> Posted at Nginx Forum: >> http://forum.nginx.org/read.php?2,249305,249305#msg-249305 >> >> _______________________________________________ >> nginx mailing list >> [email protected] >> http://mailman.nginx.org/mailman/listinfo/nginx >> > >
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
