Openssl 1.0.1 and tls1.1 and up

Hello

I`m struggling with enabling tls1.1 and tls1.2. Some info:

NGINX:

nginx -V

nginx version: nginx/1.5.13
built by gcc 4.8.1 (Ubuntu/Linaro 4.8.1-10ubuntu9)
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx/1.5.13
–conf-path=/etc/nginx/nginx.conf
–error-log-path=/var/log/nginx/error.log
–http-client-body-temp-path=/var/lib/nginx/body
–http-fastcgi-temp-path=/var/lib/nginx/fastcgi
–http-log-path=/var/log/nginx/access.log
–http-proxy-temp-path=/var/lib/nginx/proxy
–http-scgi-temp-path=/var/lib/nginx/scgi
–http-uwsgi-temp-path=/var/lib/nginx/uwsgi
–lock-path=/var/lock/nginx.lock
–pid-path=/run/nginx.pid --with-pcre-jit --with-debug
–with-http_addition_module --with-http_auth_request_module
–with-http_dav_module --with-http_geoip_module
–with-http_gzip_static_module --with-http_image_filter_module
–with-http_realip_module --with-http_spdy_module --with-http_ssl_module
–with-http_stub_status_module --with-http_sub_module
–with-http_xslt_module --with-ipv6
–add-module=/usr/src/nginx-modules/nginx-openssl-version
–add-module=/usr/src/nginx-modules/testcookie-nginx-module
–with-pcre=/usr/src/nginx-modules/pcre-8.35
–with-openssl=/usr/src/nginx-modules/openssl-1.0.1g

SSL settings:

ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers
‘ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK’;
add_header Strict-Transport-Security “max-age=31536000;
includeSubdomains;”;

https://www.ssllabs.com/ssltest/ results:

Protocols
TLS 1.2 No
TLS 1.1 No
TLS 1.0 Yes
SSL 3 Yes
SSL 2 No

Any hint ?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,249305,249305#msg-249305

I have an nginx 1.5 install where I don’t set the ssl_protocols,
because,
the defaults are fine:
—> “Since versions 1.1.13 and 1.0.12, nginx uses “ssl_protocols SSLv3
TLSv1 TLSv1.1 TLSv1.2” by default.”

This is what I have find to be the best for ciphers, SSLLABS seems to
like
it, I would even set !RC4, but we need to still support it in this
specific
server.

    # ciphers
    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM

EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384
EECDH+aRSA+SHA256
EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP
!PSK
!SRP !DSS";

I should clarify the the default for ssl_protocols is fine, to my
environment since we need to support SSLv3, if you don’t I suggest make
it
safer:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

hi,

what is your os (name and version)?

where do you have the ciphers from bwt?

i’d suggest you test the tls-version yourself with testssl.sh
https://bitbucket.org/nginx-goodies/testssl.sh
(note: you need a current openssl-version on the machine you test
from)

regards,

mex

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,249305,249315#msg-249315

Hello!

On Wed, Apr 16, 2014 at 06:35:43AM -0400, Nemesiz wrote:

TLS 1.0 Yes

Looks like i can`t disable sslv3

It looks like you are testing something different, not nginx you
are trying to configure. Check what is actually listening on the
ip:port you are testing.


Maxim D.
http://nginx.org/

Strange things are happening.

nginx:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Results:

ssllabs.com:
TLS 1.2 No
TLS 1.1 No
TLS 1.0 Yes
SSL 3 Yes
SSL 2 No

testssl.sh:

SSLv2 NOT offered (ok)
SSLv3 offered
TLSv1 offered (ok)
TLSv1.1 not offered
TLSv1.2 not offered

Looks like i can`t disable sslv3

OS: Ubuntu sancy
SSL Certificate: StartCom Ltd.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,249305,249329#msg-249329

Maxim D. Wrote:

It looks like you are testing something different, not nginx you
are trying to configure. Check what is actually listening on the
ip:port you are testing.

testssl.sh:
–> Testing HTTP Header response

HSTS 365 days (31536000 s)
Server nginx/1.5.13
Application (None)

ssllabs.com:
HTTP server signature nginx/1.5.13

netstat -tulnp

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State
PID/Program name
tcp 0 0 127.0.0.1:6379 0.0.0.0:*
LISTEN
17535/redis-server
tcp 0 0 0.0.0.0:1003 0.0.0.0:*
LISTEN
19379/sshd
tcp 0 0 0.0.0.0:80 0.0.0.0:*
LISTEN
10632/nginx
tcp 0 0 127.0.0.1:8080 0.0.0.0:*
LISTEN
17584/unicorn.rb -E
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN
19379/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:*
LISTEN
733/exim4
tcp 0 0 0.0.0.0:443 0.0.0.0:*
LISTEN
10632/nginx
tcp6 0 0 :::1003 :::*
LISTEN
19379/sshd
tcp6 0 0 :::22 :::*
LISTEN
19379/sshd
tcp6 0 0 :::25 :::*
LISTEN
733/exim4

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,249305,249333#msg-249333

I think the problem is your nginx uses libssl version from your OS
(0.9.8/1.0.0).

Rather than posting raw outputs, try to understand the piece orf advice
Maxim gave to you.

I suspect those SSL-validation websites test websites… which
correspond
to a certain standard port.
I see a problem, don’t you ?

B. R.

Check that you have run the same nginx, that you are trying to
configure.

$ ps -fC nginx

wbr, Valentin V. Bartenev

I recompiled with default openssl lib (1.0.1e-3ubuntu1.2)

Default install path:

nginx -V

nginx version: nginx/1.5.13
built by gcc 4.8.1 (Ubuntu/Linaro 4.8.1-10ubuntu9)
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx/1.5.13
–conf-path=/etc/nginx/nginx.conf
–error-log-path=/var/log/nginx/error.log
–http-client-body-temp-path=/var/lib/nginx/body
–http-fastcgi-temp-path=/var/lib/nginx/fastcgi
–http-log-path=/var/log/nginx/access.log
–http-proxy-temp-path=/var/lib/nginx/proxy
–http-scgi-temp-path=/var/lib/nginx/scgi
–http-uwsgi-temp-path=/var/lib/nginx/uwsgi
–lock-path=/var/lock/nginx.lock
–pid-path=/run/nginx.pid --with-pcre-jit --with-debug
–with-http_ssl_module
–add-module=/usr/src/nginx-modules/nginx-openssl-version
–with-pcre=/usr/src/nginx-modules/pcre-8.35

nginx clone to /root/test

./nginx -V

nginx version: nginx/1.5.13
built by gcc 4.8.1 (Ubuntu/Linaro 4.8.1-10ubuntu9)
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx/1.5.13
–conf-path=/etc/nginx/nginx.conf
–error-log-path=/var/log/nginx/error.log
–http-client-body-temp-path=/var/lib/nginx/body
–http-fastcgi-temp-path=/var/lib/nginx/fastcgi
–http-log-path=/var/log/nginx/access.log
–http-proxy-temp-path=/var/lib/nginx/proxy
–http-scgi-temp-path=/var/lib/nginx/scgi
–http-uwsgi-temp-path=/var/lib/nginx/uwsgi
–lock-path=/var/lock/nginx.lock
–pid-path=/run/nginx.pid --with-pcre-jit --with-debug
–with-http_ssl_module
–add-module=/usr/src/nginx-modules/nginx-openssl-version
–with-pcre=/usr/src/nginx-modules/pcre-8.35

The same settings but default nginx runs on 80 and 443 port. Cloned
nginx
runs on 81 nad 443

default nginx on port 443:
–> Testing Protocols

SSLv2 NOT offered (ok)
SSLv3 offered
TLSv1 offered (ok)
TLSv1.1 not offered
TLSv1.2 not offered

SPDY/NPN http/1.1 (advertised)

cloned nginx on port 444:
–> Testing Protocols

SSLv2 NOT offered (ok)
SSLv3 NOT offered (ok)
TLSv1 offered (ok)
TLSv1.1 offered (ok)
TLSv1.2 offered (ok)

ldd /usr/local/nginx/1.5.13/sbin/nginx

linux-vdso.so.1 => (0x00007fff623fe000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f6e46143000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1
(0x00007f6e45f0a000)
libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x00007f6e45cab000)
libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
(0x00007f6e458cf000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f6e456b6000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6e452ed000)
/lib64/ld-linux-x86-64.so.2 (0x00007f6e4636c000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f6e450e9000)

ldd /root/test/nginx

linux-vdso.so.1 => (0x00007fffe478f000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f6dcdfc5000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1
(0x00007f6dcdd8c000)
libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x00007f6dcdb2d000)
libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
(0x00007f6dcd751000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f6dcd538000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6dcd16f000)
/lib64/ld-linux-x86-64.so.2 (0x00007f6dce1ee000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f6dccf6b000)

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,249305,249339#msg-249339

I found where the problems was. I thought ssl options can be different
in
virtual host. Default server settings was not overwritten.

server {
include conf/default-settings;

root /var/www;
server_name “”;

ssl on;
ssl_certificate ssl/nmz_ssl.crt;
ssl_certificate_key ssl/nmz_ssl.key;

ssl_session_timeout 5m;

ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;

location / {
try_files $uri $uri/ =404;
}

location /smokeping/ {
proxy_pass http://10.10.10.2/smokeping/;
}
}

Others servers:
server {
include conf/default-site-ssl;
include conf/default-settings;
ssl_certificate /etc/nginx/ssl/host.pem;
ssl_certificate_key /etc/nginx/ssl/host.key;

conf/default-site-ssl :

listen 443 ssl;
ssl on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers
‘ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK’;
add_header Strict-Transport-Security “max-age=31536000;
includeSubdomains;”;

nginx -t did not show any error.

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols

So some ssl options cannot be overwritten ?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,249305,249341#msg-249341

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs