Forum: NGINX TLS 1.2 ciphers

2974d09ac2541e892966b762aad84943?d=identicon&s=25 stephan13360 (Guest)
on 2013-08-21 19:19
(Received via mailing list)
Chrome 29 came out recently and now supports TLS 1.2. So i decided to
add
some of the new TLS 1.2 ciphers to my webserver, which are specified
here:
https://www.openssl.org/docs/apps/ciphers.html#TLS....

My current setup is: Ubuntu 10.04, Nginx 1.5.3 ,OpenSSL 1.0.1e (build
myself)
Config file:

server  {
    listen 80;
    server_name    sherbers.de;
    return 301 https://$server_name$request_uri;
}
server {
    listen 443 ssl spdy default_server;
    server_name    sherbers.de;

    ssl_certificate /etc/ssl/private/hosteurope/www.sherbers.de.pem;
    ssl_certificate_key /etc/ssl/private/hosteurope/www.sherbers.de.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

As you can see i only use ciphers with perfect forward secrecy, because
why
not. When i connect to my webserver chrome shows it is using TLS 1.2 but
as
a cipher it using ECDHE-RSA, which it was using before too when i only
offered TLS 1.1, without any of the ECDHE-ECDSA ciphers.

Any idea why nginx doesn't offers the new cipers?

Additional information:

- An ssl check at https://sslcheck.globalsign.com doesn't list any of
the
ECDHE-ECDSA ciphers
- "openssl ciphers -v | grep ECDHE-ECDSA" outputs the following:
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA
Enc=AESGCM(256)
Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)
Mac=SHA384
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)
Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168)
Mac=SHA1
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA
Enc=AESGCM(128)
Mac=AEAD
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)
Mac=SHA256
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)
Mac=SHA1
ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA Enc=RC4(128)
Mac=SHA1

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,242096,242096#msg-242096
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2013-08-21 20:00
(Received via mailing list)
Hello!

On Wed, Aug 21, 2013 at 01:19:01PM -0400, stephan13360 wrote:

>     server_name    sherbers.de;
>
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
>     ssl_prefer_server_ciphers on;
>     ssl_session_cache shared:SSL:10m;
>
> As you can see i only use ciphers with perfect forward secrecy, because why
> not. When i connect to my webserver chrome shows it is using TLS 1.2 but as
> a cipher it using ECDHE-RSA, which it was using before too when i only
> offered TLS 1.1, without any of the ECDHE-ECDSA ciphers.
>
> Any idea why nginx doesn't offers the new cipers?

ECDSA ciphers need an ECDSA certificate to work.  As your cert is
RSA, it RSA ciphers are used.

--
Maxim Dounin
http://nginx.org/en/donation.html
2974d09ac2541e892966b762aad84943?d=identicon&s=25 stephan13360 (Guest)
on 2013-08-21 20:08
(Received via mailing list)
Thanks. I never even considered that the certificate could be the
problem.

Maxim Dounin Wrote:
-------------------------------------------------------
> >
> > server {
> S256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-S
> > offered TLS 1.1, without any of the ECDHE-ECDSA ciphers.
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,242096,242099#msg-242099
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.