ssl_protocols TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256; was the final solution, since YES, the problem was that Firefox 30 doesn't supports the mentioned cipher yet..
Thank you everyone! (nginx was 100% OK :) ) On Wed, Jul 2, 2014 at 9:01 PM, Christian Weisgerber <na...@mips.inka.de> wrote: > On 2014-07-02, Ez Egy <ezegyemailcim...@gmail.com> wrote: > > > www.ssllabs.com: ECDHE-RSA-AES256-GCM-SHA384 > > www.google.com: ECDHE-RSA-AES128-GCM-SHA256 > > > > We wanted to make our webserver HTTPS connection more secure (don't look > at > > the self-signed certificate, that doesn't count right now..) > > > > We are using an OpenBSD 5.4 64bit, and the "openssl ciphers" command says > > that it supports the "ECDHE-RSA-AES256-GCM-SHA384" cipher. On client side > > there is Firefox 30 at least. > > Firefox doesn't support ECDHE-RSA-AES256-GCM-SHA384. > > ECDHE-RSA-AES128-GCM-SHA256, yes. > > ECDHE-RSA-AES256-GCM-SHA384, no. > > > Question: How can we set GCM in nginx? Why couldn't a fresh Firefox > connect > > via HTTPS to foo.com (ECDHE-RSA-AES256-GCM-SHA384,TLSv1.2)? It can > connect > > to www.ssllabs.com via HTTPS (ECDHE-RSA-AES256-GCM-SHA384,TLSv1.2) > > No, it doesn't. Not with that cipher suite. > > -- > Christian "naddy" Weisgerber na...@mips.inka.de
