ssl_prefer_server_ciphers on; On Wed, Mar 11, 2020, 11:58 Kaushal Shriyan <kaushalshri...@gmail.com> wrote:
> > > On Wed, Mar 11, 2020 at 6:36 PM Michael Wojcik < > michael.woj...@microfocus.com> wrote: > >> To enforce the server's cipher order, use SSL_CTX_set_options(*ctx*, >> SSL_CTX_get_options(*ctx*) | SSL_OP_CIPHER_SERVER_PREFERENCE). >> >> https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_options.html >> >> ------------------------------ >> >> >> Testing server preferences >> Has server cipher order? no (NOT ok) >> ... >> No further cipher order check has been done as order is determined by the >> client >> >> >> > Hi Michael, > > Thanks for the email. I am not sure if i understand it completely. what > does the server's cipher order mean in layman's terms? Any example > regarding To enforce the server's cipher order, use > SSL_CTX_set_options(ctx, SSL_CTX_get_options(ctx) | > SSL_OP_CIPHER_SERVER_PREFERENCE) to set it in /etc/nginx/nginx.conf. I am > running Nginx web server. > > I have the below settings in /etc/nginx/nginx.conf > > server { > listen 443 ssl; > ssl_protocols TLSv1.2; > ssl_ciphers > ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; > ssl_prefer_server_ciphers off; > } > > Please suggest. I look forward to hearing from you and thanks in advance. > > Best Regards, > > Kaushal >