how did you compiled nginx, with openssl-sources via
–with-openssl=/path/to/sources ?
i could imagine that, if not, your (outdated) distros openssl-dev might
be
used.
i have this issue when compiling nginx on debian; i have to download
openssl
and
point nginx where to find the sources
but since openssl recognizes openssl 1.0.1e … this seems fishy
somehow, as
if you
are potentially capable of PFS, but are not able to deliver, for
whatever
reason.
hmm, looks like some mismatch: in yoiur config you define ECDH, but in
your
screenshot
i see DH configured (please compare your screenshot with the
ssllabs-link i
provided, esp.
the cipher-suites/handshake - part.
That’s your problem, that version doesn’t support ECDHE.
nginx itself has no ciphers support, it depend on openssl.
RHEL/CentOS version of openssl lacks elliptic curve ciphers,
it is explicitly striped from rpm
(https://bugzilla.redhat.com/show_bug.cgi?id=319901),
and ECDHE is unavailable on RHEL/CentOS with default openssl.
So either change/rebuild openssl rpm, rebuild nginx with
statically linked openssl or use another linux distribution.
You could list and check available ciphers by:
openssl cipher -v
nginx itself has no ciphers support, it depend on openssl.
RHEL/CentOS version of openssl lacks elliptic curve ciphers,
it is explicitly striped from rpm
(https://bugzilla.redhat.com/show_bug.cgi?id=319901),
and ECDHE is unavailable on RHEL/CentOS with default openssl.
So either change/rebuild openssl rpm, rebuild nginx with
statically linked openssl or use another linux distribution.
for rebuild nginx with statically linked openssl, spec changes:
better if nginx rpm spec contain build options -
like “–with-statically-linked-openssl”
for easy change usage statically/dynamically
linked openssl during nginx srpm rebuild.
or even change default to always use
latest openssl for nginx from nginx.org
if nginx build with latest openssl -
Getting forward secrecy enabled is easy, as described in articles:
That’s your problem, that version doesn’t support ECDHE.
nginx itself has no ciphers support, it depend on openssl.
RHEL/CentOS version of openssl lacks elliptic curve ciphers,
it is explicitly striped from rpm
(https://bugzilla.redhat.com/show_bug.cgi?id=319901),
and ECDHE is unavailable on RHEL/CentOS with default openssl.
So either change/rebuild openssl rpm,
It is neccesary to rebuild nginx too, openssl replacement along is not
sufficient.
rebuild nginx with
statically linked openssl or use another linux distribution.
You could list and check available ciphers by:
openssl cipher -v
BTW, DHE also provides forward secrecy, but it is slow.