> I did an ssldump and this is the conversation between both servers: This ssldump seems incomplete, there is no response. Please post the full ssldump.
The bug is probably neither in openssl nor in nginx, but in the origin server (but we don't have the full handshake here). Since nginx 1.5.6, you can configure proxy_ssl_protocols and proxy_ssl_ciphers to configure backend ssl traffic, which may allows you to workaround certain backend bugs. Certainly a lot of bogus ciphers are enabled by default in your setup (NULL, EXPORT, etc). If you have nginx>= 1.5.6, you can probably workaround this by forcing SSLv3 (which I would not recommend at all): proxy_ssl_protocols SSLv3; But I would rather configure a sane cipher list with proxy_ssl_ciphers and see to get it working with it (see [1]). Try playing with "openssl s_client -cipher <cipherlist>" to find a secure and working configuration. Regards, Lukas [1] https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
