Hello! On Wed, Aug 21, 2013 at 01:19:01PM -0400, stephan13360 wrote:
> Chrome 29 came out recently and now supports TLS 1.2. So i decided to add > some of the new TLS 1.2 ciphers to my webserver, which are specified here: > https://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites. > > My current setup is: Ubuntu 10.04, Nginx 1.5.3 ,OpenSSL 1.0.1e (build > myself) > Config file: > > server { > listen 80; > server_name sherbers.de; > return 301 https://$server_name$request_uri; > } > server { > listen 443 ssl spdy default_server; > server_name sherbers.de; > > ssl_certificate /etc/ssl/private/hosteurope/www.sherbers.de.pem; > ssl_certificate_key /etc/ssl/private/hosteurope/www.sherbers.de.key; > ssl_protocols TLSv1 TLSv1.1 TLSv1.2; > ssl_ciphers > ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA; > ssl_prefer_server_ciphers on; > ssl_session_cache shared:SSL:10m; > > As you can see i only use ciphers with perfect forward secrecy, because why > not. When i connect to my webserver chrome shows it is using TLS 1.2 but as > a cipher it using ECDHE-RSA, which it was using before too when i only > offered TLS 1.1, without any of the ECDHE-ECDSA ciphers. > > Any idea why nginx doesn't offers the new cipers? ECDSA ciphers need an ECDSA certificate to work. As your cert is RSA, it RSA ciphers are used. -- Maxim Dounin http://nginx.org/en/donation.html _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
