On 10/01/2014 08:45 PM, Lukas Tribus wrote:
btw, it seems impossible to have
...
ssl_protocols TLSv1.2;
...
and a testresult of
SSLv2 NOT offered (ok)
SSLv3 offered
TLSv1 not offered
TLSv1.1 not offered
TLSv1.2 not offered
No, its very possible. A SSL_CTX_set_ssl_version() call can fail,
or the call itself can be #ifdef'ed out.
iirc, openssl 1.0.1e should be able to provide tls 1.2, so
it seems quite strange
It may be:
- the nginx centos 6 RPM is linked against openssl 0.9.8 AND
- when using a source build, you didn't stop and start the correct executable
AND/OR
- you have some library mismatch/mess on your system
If you don't care about the possible mess on your system and want a fast fix,
just build it statically, as previously suggested.
hi lukas, hi mex,
- there is definetely something strange -- this is a vanilla install -- for
testing -- i installed apache on the same machine and ran it on port 444 for an
ssl host. it works as expected. that would seem to indicate the ssl libraries,
etc, are in good shape.
- if you point a mozilla firefox 32.0.3 to this site, you get:
Secure Connection Failed
An error occurred during a connection to domain.com. SSL peer selected a cipher
suite disallowed for the selected protocol version. (Error code:
ssl_error_cipher_disallowed_for_version)
The page you are trying to view cannot be shown because the authenticity of
the received data could not be verified.
Please contact the website owners to inform them of this problem.
- i am going to generate some different certs -- mine are insane -- 4096 key,
4096 dh, sha512 sig -- perhaps the problem lies there. although, why would
apache work and not nginx?
will report back tomorrow.
thanks!
m
_______________________________________________
nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx
