Negotiated cipher per proto (matching cipher in list missing). No further cipher order check has been done as order is determined by the client
Kaushal Shriyan
kaushalshriyan at gmail.com
Wed Mar 11 16:57:25 UTC 2020
On Wed, Mar 11, 2020 at 6:36 PM Michael Wojcik <
Michael.Wojcik at microfocus.com> wrote:
> To enforce the server's cipher order, use SSL_CTX_set_options(*ctx*,
> SSL_CTX_get_options(*ctx*) | SSL_OP_CIPHER_SERVER_PREFERENCE).
>
> https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_options.html
>
> ------------------------------
>
>
> Testing server preferences
> Has server cipher order? no (NOT ok)
> ...
> No further cipher order check has been done as order is determined by the
> client
>
>
>
Hi Michael,
Thanks for the email. I am not sure if i understand it completely. what
does the server's cipher order mean in layman's terms? Any example
regarding To enforce the server's cipher order, use
SSL_CTX_set_options(ctx, SSL_CTX_get_options(ctx) |
SSL_OP_CIPHER_SERVER_PREFERENCE) to set it in /etc/nginx/nginx.conf. I am
running Nginx web server.
I have the below settings in /etc/nginx/nginx.conf
server {
listen 443 ssl;
ssl_protocols TLSv1.2;
ssl_ciphers
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
}
Please suggest. I look forward to hearing from you and thanks in advance.
Best Regards,
Kaushal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200311/6a937cf8/attachment.html>
More information about the openssl-users
mailing list