Just to be thorough, are you sure nginx is actually using the config file that you think it is? If we’re talking about your personal domain I see TLS 1.0 and SSL 3.0 available which in this snippet you have not enabled. This behavior isn’t something I’m able to replicate with the 1.7.6/1.0.1i combo.
__________________ Scott Larson Systems Administrator Wiredrive/LA 310 823 8238 ext. 1106 310 943 2078 fax www.wiredrive.com <http://www.wiredrive.com/> www.twitter.com/wiredrive <http://www.twitter.com/wiredrive> www.facebook.com/wiredrive <http://www.wiredrive.com/facebook> > On Oct 17, 2014, at 4:28 PM, Jessica Litwin <[email protected]> wrote: > > using openssl101j, I get the same results with the following in both my > vhost config and nginx.conf > > ssl_protocols TLSv1.2 TLSv1.1; > ssl_ciphers > EECDH+aRSA+AESGCM:EECDH+aRSA+AES:EDH+aRSA+AESGCM:EDH+aRSA+AES:DES-CB > C3-SHA:!EXP:!CAMELLIA:!DSS:!MEDIUM:!LOW:!aNULL:!eNULL:!RC4; > ssl_prefer_server_ciphers on; > > RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger > ciphers are available. > > What the hell am I doing wrong? > > On Fri, Oct 17, 2014 at 6:14 AM, itpp2012 <[email protected] > <mailto:[email protected]>> wrote: > Scott Larson Wrote: > ------------------------------------------------------- > > Something else must be going on here. Looking at your ssl_cipher > > string, you're opening with a rough declaration of specific ciphers > > you'll > > support, none of which should pull in RC4. It's specific enough in > > fact > > that your subsequent excluded ciphers don't even come into play. To > > test > > this I switched in my old RSA cert, rebuilt 1.7.6 against OpenSSL > > 1.0.1j, > > Which is why I said try 101j, between 101e and j there are big differences > when it comes to invalid fallbacks. > Not even mentioning using 101e is asking to be hacked. > > Posted at Nginx Forum: > http://forum.nginx.org/read.php?2,254028,254092#msg-254092 > <http://forum.nginx.org/read.php?2,254028,254092#msg-254092> > > _______________________________________________ > nginx mailing list > [email protected] <mailto:[email protected]> > http://mailman.nginx.org/mailman/listinfo/nginx > <http://mailman.nginx.org/mailman/listinfo/nginx> > > > > -- > Jessica K. Litwin > jessicalitwin.com <http://jessicalitwin.com/> > twitter: press5 > aim: press5key > skype: dr_jkl > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
