Negotiated cipher per proto (matching cipher in list missing). No further cipher order check has been done as order is determined by the client
Kyle Hamilton
aerowolf at gmail.com
Wed Mar 11 19:30:48 UTC 2020
ssl_prefer_server_ciphers on;
On Wed, Mar 11, 2020, 11:58 Kaushal Shriyan <kaushalshriyan at gmail.com>
wrote:
>
>
> On Wed, Mar 11, 2020 at 6:36 PM Michael Wojcik <
> Michael.Wojcik at microfocus.com> wrote:
>
>> To enforce the server's cipher order, use SSL_CTX_set_options(*ctx*,
>> SSL_CTX_get_options(*ctx*) | SSL_OP_CIPHER_SERVER_PREFERENCE).
>>
>> https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_options.html
>>
>> ------------------------------
>>
>>
>> Testing server preferences
>> Has server cipher order? no (NOT ok)
>> ...
>> No further cipher order check has been done as order is determined by the
>> client
>>
>>
>>
> Hi Michael,
>
> Thanks for the email. I am not sure if i understand it completely. what
> does the server's cipher order mean in layman's terms? Any example
> regarding To enforce the server's cipher order, use
> SSL_CTX_set_options(ctx, SSL_CTX_get_options(ctx) |
> SSL_OP_CIPHER_SERVER_PREFERENCE) to set it in /etc/nginx/nginx.conf. I am
> running Nginx web server.
>
> I have the below settings in /etc/nginx/nginx.conf
>
> server {
> listen 443 ssl;
> ssl_protocols TLSv1.2;
> ssl_ciphers
> ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
> ssl_prefer_server_ciphers off;
> }
>
> Please suggest. I look forward to hearing from you and thanks in advance.
>
> Best Regards,
>
> Kaushal
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200311/d75a72d7/attachment-0001.html>
More information about the openssl-users
mailing list