On 14/11/14 13:28, Jérémie Courrèges-Anglas wrote: > Renaud Allard <[email protected]> writes: > >> On 11/14/2014 10:12 AM, Jonathan Gray wrote: >>>> Now openssl ciphers CHACHA20 works as intended >>>> # openssl ciphers CHACHA20 >>>> ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-PO LY1305 >>> This is already present in rev 1.68/-current >>> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/ssl/ssl_ciph.c.di ff?r2=1.68&r1=1.67&f=u >>> >>> >> So now, I have set in nginx.conf this >> ssl_ciphers !aNULL:AES256:AES128:CHACHA20:@STRENGTH; >> >> But using sslscan, I still get: >> Failed TLSv1 256 bits ECDHE-ECDSA-CHACHA20-POLY1305 > I guess it means that you didn't feed with nginx an ecdsa cert. > It seems that the problem is in sslscan itself. When I use Qualys SSL labs to test, it successfully lists CHACHA20 ciphers.
[demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
