-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable older ciphers AES128-GCM-SHA256/AES256-GCM-SHA384 #893
Comments
Hello Ivan, To say it simply, nginx doesn't really do anything with cryptography stuff. Most of the work is done by openssl.
|
nginx.conf
Relevant section of conf.d/default
openssl ciphers -v
openssl x509 -in $cert -noout -textHashes stripped out. Certificate generated via certbot
openssl s_client -cipher AES128-GCM-SHA256 -connect HIDDEN:443 -tls1_2Done via git-bash on windows
ssllabs.com |
I have to admit here, I'm not a real crypto specialist :) As you can spot in the output, AES128-GCM-SHA256 expects to have RSA key ( I think RSA is abbreviated from the name of the cipher but can't find this note in a manual page straight away):
But you have only EC key and cert. So the selected cipher simply doesn't match the key you have. You can configure both RSA and EC ssl certs in a single server block and nginx will use appropriate one for a connection. |
I'm not sure how it done with certbot: personally, I use In general though, yes, regenerating cert with RSA type should help. But I'd recommend having two certs of different types configured. And, as we sorted out the nginx part, I will the issue=) |
Regenerating the certificate with I'm not investigating now the dual-cerificate suggestion for lack of time, but will definitely do it sooner or later. Thanks! |
Describe the bug
Not really a bug, but a help request.
I'm reporting here the problem i'm facing to enable older ciphers in a modern nginx deployment.
The original problem was posted on the nginx-derived image repository: JonasAlfredsson/docker-nginx-certbot#247
Short description: i need to enable AES128-GCM-SHA256 or AES256-GCM-SHA384, but all tentatives have failed so far.
What i tried:
ssl_ciphers
and addedssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
. System still enables only TLS1.2For any change i've ever applied QUALYS ssl test tool never shows the wanted ciphers, although changes on other cipers are reflected in the detected list.
Also trying a connection with
openssl s_client -cipher AES128-GCM-SHA256 -connect HIDDEN:443 -tls1_2
fails.Am i missing some important point?
Your environment
Additional context
More discussions and tentatives here: JonasAlfredsson/docker-nginx-certbot#247
The text was updated successfully, but these errors were encountered: