On Thu, Mar 12, 2020 at 1:01 AM Kyle Hamilton <aerow...@gmail.com> wrote:
> ssl_prefer_server_ciphers on; > > On Wed, Mar 11, 2020, 11:58 Kaushal Shriyan <kaushalshri...@gmail.com> > wrote: > >> >> >> On Wed, Mar 11, 2020 at 6:36 PM Michael Wojcik < >> michael.woj...@microfocus.com> wrote: >> >>> To enforce the server's cipher order, use SSL_CTX_set_options(*ctx*, >>> SSL_CTX_get_options(*ctx*) | SSL_OP_CIPHER_SERVER_PREFERENCE). >>> >>> https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_options.html >>> >>> ------------------------------ >>> >>> >>> Testing server preferences >>> Has server cipher order? no (NOT ok) >>> ... >>> No further cipher order check has been done as order is determined by >>> the client >>> >>> >>> >> Hi Michael, >> >> Thanks for the email. I am not sure if i understand it completely. what >> does the server's cipher order mean in layman's terms? Any example >> regarding To enforce the server's cipher order, use >> SSL_CTX_set_options(ctx, SSL_CTX_get_options(ctx) | >> SSL_OP_CIPHER_SERVER_PREFERENCE) to set it in /etc/nginx/nginx.conf. I am >> running Nginx web server. >> >> I have the below settings in /etc/nginx/nginx.conf >> >> server { >> listen 443 ssl; >> ssl_protocols TLSv1.2; >> ssl_ciphers >> ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; >> ssl_prefer_server_ciphers off; >> } >> >> Please suggest. I look forward to hearing from you and thanks in advance. >> >> Best Regards, >> >> Kaushal >> > Thanks Michael for the explanation and much appreciated. Thanks a lot, Kyle for the reply.