<div dir="ltr"><div dir="ltr"></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Mar 12, 2020 at 1:01 AM Kyle Hamilton <<a href="mailto:aerowolf@gmail.com">aerowolf@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><div>ssl_prefer_server_ciphers on;<br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 11, 2020, 11:58 Kaushal Shriyan <<a href="mailto:kaushalshriyan@gmail.com" target="_blank">kaushalshriyan@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 11, 2020 at 6:36 PM Michael Wojcik <<a href="mailto:Michael.Wojcik@microfocus.com" rel="noreferrer" target="_blank">Michael.Wojcik@microfocus.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
To enforce the server's cipher order, use SSL_CTX_set_options(<i>ctx</i>, SSL_CTX_get_options(<i>ctx</i>) | SSL_OP_CIPHER_SERVER_PREFERENCE).<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
<a href="https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_options.html" rel="noreferrer" target="_blank">https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_options.html</a><br>
</div>
<div id="gmail-m_1373094358484592640m_-1817183577560302347gmail-m_-3773856032147679003appendonsend"></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<hr style="display:inline-block;width:98%">
<div>
<div dir="ltr">
<div>
<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr"><br>
<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Testing server preferences<br>
<font color="#ff0000">Has server cipher order? no (NOT ok)</font><br>
<div> <font color="#ff0000">...<br>
No further cipher order check has been done as order is determined by the client</font></div>
</blockquote>
</div>
</blockquote>
<br></div></div></div></div></blockquote><div><br></div><div>Hi Michael,</div><div><br></div><div>Thanks for the email. I am not sure if i understand it completely. what does the server's cipher order mean in layman's terms? Any example regarding To enforce the server's cipher order, use SSL_CTX_set_options(ctx, SSL_CTX_get_options(ctx) | SSL_OP_CIPHER_SERVER_PREFERENCE) to set it in /etc/nginx/nginx.conf. I am running Nginx web server.</div><div><br></div><div>I have the below settings in /etc/nginx/nginx.conf</div><div><br></div><div>server {<br> listen 443 ssl;<br> ssl_protocols TLSv1.2;<br> ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;<br> ssl_prefer_server_ciphers off;<br></div><div>}</div><div><br></div><div>Please suggest. I look forward to hearing from you and thanks in advance.</div><div><br></div><div>Best Regards, </div><div><br></div><div>Kaushal</div></div></div></blockquote></div></div></div></blockquote><div><br></div><div><br></div><div>Thanks Michael for the explanation and much appreciated. Thanks a lot, Kyle for the reply.</div></div></div>