hi darren,
your ciphers look very good!
i included your suggestion in my ssl-guide, looking forward to perftest
those
cipher_suites.
regards,
mex
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,243341,243594#msg-243594
___
nginx mailin
inx srpm rebuild.
or even change default to always use
latest openssl for nginx from nginx.org
if nginx build with latest openssl -
Getting forward secrecy enabled is easy, as described in articles:
https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-
On 3 Oct2013, at 16:36 , Sergey Budnevitch wrote:
>
> On 2 Oct2013, at 15:08 , Vahan Yerkanian wrote:
>
>> On Oct 2, 2013, at 9:57 AM, justin wrote:
>>
>>> I don't compile nginx, I get it from the official CentOS repo:
>>>
>>> [nginx]
>>> name=nginx repo
>>> baseurl=http://nginx.org/pack
On 2 Oct2013, at 15:08 , Vahan Yerkanian wrote:
> On Oct 2, 2013, at 9:57 AM, justin wrote:
>
>> I don't compile nginx, I get it from the official CentOS repo:
>>
>> [nginx]
>> name=nginx repo
>> baseurl=http://nginx.org/packages/centos/6/$basearch/
>> gpgcheck=0
>> enabled=1
>>
>
> That's
Yeah, anyway to get the official yum repo to support ECDHE when they
compile. Seems like a basic thing they should already do already.
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,243341,243398#msg-243398
___
nginx mailing list
nginx@nginx.
On Oct 2, 2013, at 9:57 AM, justin wrote:
> I don't compile nginx, I get it from the official CentOS repo:
>
> [nginx]
> name=nginx repo
> baseurl=http://nginx.org/packages/centos/6/$basearch/
> gpgcheck=0
> enabled=1
>
That's your problem, that version doesn't support ECDHE.
You'll need to c
I have:
ssl_ciphers HIGH:!SSLv2:!MEDIUM:!LOW:!EXP:!RC4:!DSS:!aNULL:@STRENGTH;
ssl_prefer_server_ciphers on;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
Yields:
https://www.ssllabs.com/ssltest/analyze.html?d=rush.bluerosetech.com
nginx 1.4.2 compiled against OpenSSL 1.0.1e 11 Feb 2013
_
maybe you ask the person who creates the packages how nginx was build, which
openssl-version applies etc pp.
can you execute "openssl version" on the server nginx runs on?
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,243341,243351#msg-243351
_
I don't compile nginx, I get it from the official CentOS repo:
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/6/$basearch/
gpgcheck=0
enabled=1
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,243341,243350#msg-243350
___
ngi
how did you compiled nginx, with openssl-sources via
--with-openssl=/path/to/sources ?
i could imagine that, if not, your (outdated) distros openssl-dev might be
used.
i have this issue when compiling nginx on debian; i have to download openssl
and
point nginx where to find the sources
but since
hmm, looks like some mismatch: in yoiur config you define ECDH, but in your
screenshot
i see DH configured (please compare your screenshot with the ssllabs-link i
provided, esp.
the cipher-suites/handshake - part.
should be:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 256 bits (eq. 30
Comparing the result from makepw.com and my site, I am missing the following
cipher suites:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 256 bits (eq. 3072
bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072
bits RSA) FS 128
TLS_ECDHE_RSA_WITH_A
Sucks the forum software cutting of the cipher list string, here is what I
am using in a gist:
https://gist.github.com/nodesocket/8d4cc41c91466ae17b80
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,243341,243346#msg-243346
___
nginx mailing
I tried what was recommended by
(http://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/#perfect-forward-secrecy):
But still missing: IE 11 / Win 8.1 (FAIL)
IE 8-10 / Win 7 (NO FS)
IE 7 / Vista (NO FS)
Here is my exact config:
ssl_prefer_se
btw, check the following for a reference for PFS-setup:
https://www.ssllabs.com/ssltest/analyze.html?d=makepw.com
ssl-settings are:
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECD
Hi justin,
> even though I am using all the recommend settings.
which recommended settings? recommended by whom?
i learned that, from ssllabs-view, only the cipher-suites recommended by
ivan ristic seem to work:
http://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/#perfect-forward-secrecy
all
On ssllabs.com I am getting the following, even though I am using all the
recommend settings.
http://i.imgur.com/TlsKMzP.png
Here are my nginx settings:
ssl_prefer_server_ciphers on;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SH
17 matches
Mail list logo
