On Wed, 2014-10-01 at 22:45 +0200, mayak wrote: > On 10/01/2014 08:45 PM, Lukas Tribus wrote: > >> btw, it seems impossible to have > >> > >> ... > >> ssl_protocols TLSv1.2; > >> ... > >> > >> and a testresult of > >> > >> SSLv2 NOT offered (ok) > >> SSLv3 offered > >> TLSv1 not offered > >> TLSv1.1 not offered > >> TLSv1.2 not offered > > No, its very possible. A SSL_CTX_set_ssl_version() call can fail, > > or the call itself can be #ifdef'ed out. > > > > > > > >> iirc, openssl 1.0.1e should be able to provide tls 1.2, so > >> it seems quite strange > > It may be: > > - the nginx centos 6 RPM is linked against openssl 0.9.8 AND > > - when using a source build, you didn't stop and start the correct > > executable AND/OR > > - you have some library mismatch/mess on your system > > > > > > If you don't care about the possible mess on your system and want a fast > > fix, > > just build it statically, as previously suggested. > > > > > > > > > hi lukas, hi mex, > > - there is definetely something strange -- this is a vanilla install -- for > testing -- i installed apache on the same machine and ran it on port 444 for > an ssl host. it works as expected. that would seem to indicate the ssl > libraries, etc, are in good shape. > > - if you point a mozilla firefox 32.0.3 to this site, you get: > > Secure Connection Failed > > > > An error occurred during a connection to domain.com. SSL peer selected a > > cipher suite disallowed for the selected protocol version. (Error code: > > ssl_error_cipher_disallowed_for_version) > > > > The page you are trying to view cannot be shown because the > > authenticity of the received data could not be verified. > > Please contact the website owners to inform them of this problem. > - i am going to generate some different certs -- mine are insane -- 4096 key, > 4096 dh, sha512 sig -- perhaps the problem lies there. although, why would > apache work and not nginx? > > will report back tomorrow. > > thanks! > > m > I find that https://www.ssllabs.com/ssltest/ provides a good breakdown of what a site is offering. I certainly used it to fine tune my SSL setup. I generally use CentOS 6/Amazon, but do use the nginx repo when not building from source for pagespeed. This repo certainly offers all the way up to TLS 1.2 if enabled.
Cheers, Steve -- Steve Holdoway BSc(Hons) MIITP http://www.greengecko.co.nz Linkedin: http://www.linkedin.com/in/steveholdoway Skype: sholdowa _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
