Negotiated cipher per proto (matching cipher in list missing). No further cipher order check has been done as order is determined by the client
Kaushal Shriyan
kaushalshriyan at gmail.com
Thu Mar 12 03:32:09 UTC 2020
On Thu, Mar 12, 2020 at 1:01 AM Kyle Hamilton <aerowolf at gmail.com> wrote:
> ssl_prefer_server_ciphers on;
>
> On Wed, Mar 11, 2020, 11:58 Kaushal Shriyan <kaushalshriyan at gmail.com>
> wrote:
>
>>
>>
>> On Wed, Mar 11, 2020 at 6:36 PM Michael Wojcik <
>> Michael.Wojcik at microfocus.com> wrote:
>>
>>> To enforce the server's cipher order, use SSL_CTX_set_options(*ctx*,
>>> SSL_CTX_get_options(*ctx*) | SSL_OP_CIPHER_SERVER_PREFERENCE).
>>>
>>> https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_options.html
>>>
>>> ------------------------------
>>>
>>>
>>> Testing server preferences
>>> Has server cipher order? no (NOT ok)
>>> ...
>>> No further cipher order check has been done as order is determined by
>>> the client
>>>
>>>
>>>
>> Hi Michael,
>>
>> Thanks for the email. I am not sure if i understand it completely. what
>> does the server's cipher order mean in layman's terms? Any example
>> regarding To enforce the server's cipher order, use
>> SSL_CTX_set_options(ctx, SSL_CTX_get_options(ctx) |
>> SSL_OP_CIPHER_SERVER_PREFERENCE) to set it in /etc/nginx/nginx.conf. I am
>> running Nginx web server.
>>
>> I have the below settings in /etc/nginx/nginx.conf
>>
>> server {
>> listen 443 ssl;
>> ssl_protocols TLSv1.2;
>> ssl_ciphers
>> ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
>> ssl_prefer_server_ciphers off;
>> }
>>
>> Please suggest. I look forward to hearing from you and thanks in advance.
>>
>> Best Regards,
>>
>> Kaushal
>>
>
Thanks Michael for the explanation and much appreciated. Thanks a lot, Kyle
for the reply.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200312/26d29dc7/attachment.html>
More information about the openssl-users
mailing list