On Wed, Mar 11, 2020 at 6:36 PM Michael Wojcik < michael.woj...@microfocus.com> wrote:
> To enforce the server's cipher order, use SSL_CTX_set_options(*ctx*, > SSL_CTX_get_options(*ctx*) | SSL_OP_CIPHER_SERVER_PREFERENCE). > > https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_options.html > > ------------------------------ > > > Testing server preferences > Has server cipher order? no (NOT ok) > ... > No further cipher order check has been done as order is determined by the > client > > > Hi Michael, Thanks for the email. I am not sure if i understand it completely. what does the server's cipher order mean in layman's terms? Any example regarding To enforce the server's cipher order, use SSL_CTX_set_options(ctx, SSL_CTX_get_options(ctx) | SSL_OP_CIPHER_SERVER_PREFERENCE) to set it in /etc/nginx/nginx.conf. I am running Nginx web server. I have the below settings in /etc/nginx/nginx.conf server { listen 443 ssl; ssl_protocols TLSv1.2; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; } Please suggest. I look forward to hearing from you and thanks in advance. Best Regards, Kaushal
