Re: Negotiated cipher per proto (matching cipher in list missing). No further cipher order check has been done as order is determined by the client

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Thu, Mar 12, 2020 at 1:01 AM Kyle Hamilton <aerowolf@xxxxxxxxx> wrote:
ssl_prefer_server_ciphers on;

On Wed, Mar 11, 2020, 11:58 Kaushal Shriyan <kaushalshriyan@xxxxxxxxx> wrote:


On Wed, Mar 11, 2020 at 6:36 PM Michael Wojcik <Michael.Wojcik@xxxxxxxxxxxxxx> wrote:
To enforce the server's cipher order, use SSL_CTX_set_options(ctx, SSL_CTX_get_options(ctx) | SSL_OP_CIPHER_SERVER_PREFERENCE).



Testing server preferences
 Has server cipher order?     no (NOT ok)
  ...
No further cipher order check has been done as order is determined by the client


Hi Michael,

Thanks for the email. I am not sure if i understand it completely. what does the server's cipher order mean in layman's terms? Any example regarding To enforce the server's cipher order, use SSL_CTX_set_options(ctx, SSL_CTX_get_options(ctx) | SSL_OP_CIPHER_SERVER_PREFERENCE) to set it in /etc/nginx/nginx.conf. I am running Nginx web server.

I have the below settings in /etc/nginx/nginx.conf

server {
        listen 443 ssl;
        ssl_protocols TLSv1.2;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;
}

Please suggest. I look forward to hearing from you and thanks in advance.

Best Regards, 

Kaushal


Thanks Michael for the explanation and much appreciated. Thanks a lot, Kyle for the reply.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux