On Thu, Mar 12, 2020 at 1:01 AM Kyle Hamilton <aerowolf@xxxxxxxxx> wrote:
ssl_prefer_server_ciphers on;On Wed, Mar 11, 2020, 11:58 Kaushal Shriyan <kaushalshriyan@xxxxxxxxx> wrote:On Wed, Mar 11, 2020 at 6:36 PM Michael Wojcik <Michael.Wojcik@xxxxxxxxxxxxxx> wrote:To enforce the server's cipher order, use SSL_CTX_set_options(ctx, SSL_CTX_get_options(ctx) | SSL_OP_CIPHER_SERVER_PREFERENCE).
Testing server preferences
Has server cipher order? no (NOT ok)
...
No further cipher order check has been done as order is determined by the clientHi Michael,Thanks for the email. I am not sure if i understand it completely. what does the server's cipher order mean in layman's terms? Any example regarding To enforce the server's cipher order, use SSL_CTX_set_options(ctx, SSL_CTX_get_options(ctx) | SSL_OP_CIPHER_SERVER_PREFERENCE) to set it in /etc/nginx/nginx.conf. I am running Nginx web server.I have the below settings in /etc/nginx/nginx.confserver {
listen 443 ssl;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;}Please suggest. I look forward to hearing from you and thanks in advance.Best Regards,Kaushal
Thanks Michael for the explanation and much appreciated. Thanks a lot, Kyle for the reply.
