Nginx and openSSL conf to use newest TLS protocols

Question

Since few weeks, my webserver, Niginx, had a problem with TLS protocols version 1.1 & 1.2 :

• When an user try to connect to my website, web browser and Nginx chose only TLS 1.0 for the conection.

• in Nginx virtual host conf file, I mentionned to use TLS 1.0, 1.1 and 1.2 :

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers AES256-SHA256:AES256-SHA; ssl_prefer_server_ciphers on; 

• Packages versions (newest for both) :

nginx version: nginx/1.4.2 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-cc-opt='-g -O2 -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt= --with-ipv6

OpenSSL 1.0.1e 11 Feb 2013

• Linux distrib : Debian 7.1 x64

• Qualys ssl labs result

TLS 1.2 No

TLS 1.1 No

TLS 1.0 Yes

SSL 3 No

SSL 2 No

• I tried to reboot, update, noting. I checked nginx conf file for each virtual host : all have the same parameters for ssl_protocols.

What is my mistake ?

Thanks

haflinger

Answer 1

Without messing up the installed openssl version that comes with your system, you can try to build nginx with a custom openssl version. Specify the following option when building your nginx package. I do this with my custom rpm and the latest openssl version.

--with-openssl=/home/mschirrmeister/openssl-1.0.1f 

Once build like this, install only the nginx package on your server and try the ssllabs test again. It should now show support for more versions.

Answer 2

sorry for my bad English. I have the same situation and it took me much time to find out.The first ssl_protocol keywords which nginx read dominates all the server's ssl protocol in nginx conf.

Change the "ssl_protocol" value of all your server config (in fact just the first one is ok) to contains the value "TLSv1.2" may work.

openssl 1.0.1e is ok. But your os may have two versions of libssl.(mine has 0.9.8 and 1.0.1e). So your nginx maybe link to the libssl 0.9.8.

Try compile nginx with the specified newest version openssl source code.

Answer 3

I think you have to use

ssl_protocols TLSv1.2 TLSv1.1 TLSv1; 

not

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 

Answer 4

Here is what I normally use for SSL configuration with nginx:

ssl on; ssl_certificate /etc/nginx/ssl/<domain>/server.crt; ssl_certificate_key /etc/nginx/ssl/<domain>/server.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; 

Answer 5

It's working config for prod servers, try:

ssl_session_timeout 10m; ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH; ssl_session_cache shared:SSL:10m; ssl_prefer_server_ciphers on; 

And rerun Qualys ssl then.