Ssl_prefer_server_ciphers vs. Android

Hi,

I’ve configured ssl with the following options:

ssl_dhparam /etc/nginx/pem/dhparam2048.pem;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers
‘ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK’;
ssl_prefer_server_ciphers on;
more_set_headers “Strict-Transport-Security: max-age=31536000”;
spdy_headers_comp 3;

While ssl_prefer_server_ciphers usually works I’ve noticed some strange
behaviour with Android. Firefox Sync uses with this settings “TLSv1
RC4-SHA”. When I remove all RC4 ciphers from that list, it chooses
“TLSv1
DHE-RSA-AES128-SHA”. I’m wondering why it chooses RC4-SHA instead of
DHE-RSA-AES128-SHA since it should have a higher priority.

Matthias

Hi Matthias,

While ssl_prefer_server_ciphers usually works I’ve noticed some strange
behaviour with Android. Firefox Sync uses with this settings “TLSv1
RC4-SHA”. When I remove all RC4 ciphers from that list, it chooses “TLSv1
DHE-RSA-AES128-SHA”. I’m wondering why it chooses RC4-SHA instead of
DHE-RSA-AES128-SHA since it should have a higher priority.

Can you provide the capture file with the TLS handshake?

Regards,

Lukas

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs