You were absolutely correct. It is working now. I changed three things. I firstly forced TLS 1.0 then changed the directive ssl_protocols to proxy_ssl_protocols as you suggested. Finally, I restricted to Cipher list as you also mentioned. I had thought that I would leave all that out and tie things down when I got it working. I never thought being so liberal would prevent it from working in the first place. Thanks for your thoughts.
Regards. On Mon, Jan 12, 2015 at 9:55 AM, Lukas Tribus <luky...@hotmail.com> wrote: > > I did an ssldump and this is the conversation between both servers: > > This ssldump seems incomplete, there is no response. Please post the > full ssldump. > > The bug is probably neither in openssl nor in nginx, but in the origin > server (but we don't have the full handshake here). > > > Since nginx 1.5.6, you can configure proxy_ssl_protocols and > proxy_ssl_ciphers to configure backend ssl traffic, which may > allows you to workaround certain backend bugs. > > Certainly a lot of bogus ciphers are enabled by default in your > setup (NULL, EXPORT, etc). > > If you have nginx>= 1.5.6, you can probably workaround this > by forcing SSLv3 (which I would not recommend at all): > proxy_ssl_protocols SSLv3; > > But I would rather configure a sane cipher list with > proxy_ssl_ciphers and see to get it working with it (see [1]). > > Try playing with "openssl s_client -cipher <cipherlist>" to find > a secure and working configuration. > > > > > Regards, > > Lukas > > > [1] > https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations > > > _______________________________________________ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx >
_______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx