Welcome! Log In Create A New Profile

Advanced

http2 ciphers question on correct order /availability

Posted by Sophie Loewenthal 
Sophie Loewenthal
http2 ciphers question on correct order /availability
January 23, 2018 11:50AM
Hi,

Did I add or remove the wrong ciphers for http2, and are they in the correct order? I found plenty of different documents on the Internet. Since mine is now broken, I should ask here :) Any ideas?


Error message from Chrome:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH


My nginx.conf has,

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_session_cache shared:SSL:15m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;


The vhost has http2 switched on with TLS 1.2 only:

server {
listen 443 ssl http2;

....

ssl_prefer_server_ciphers On;
ssl_protocols TLSv1.2;
ssl_session_timeout 8m;
ssl_ecdh_curve secp521r1;



add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Referrer-Policy "no-referrer";

}

Sophie





_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
A. Schulze
Re: http2 ciphers question on correct order /availability
January 23, 2018 04:00PM
Sophie Loewenthal:


> ssl_ecdh_curve secp521r1;

I never used that curve, If there's no specific reason for secp521r1,
try secp384r1 or leave it empty.
ans see what whill happen.

Andreas


_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sophie Loewenthal
Re: http2 ciphers question on correct order /availability
January 23, 2018 04:10PM
That solved the problem. Thank-you Andreas.

> On 23 Jan 2018, at 15:52, A. Schulze <[email protected]> wrote:
>
>
> Sophie Loewenthal:
>
>
>> ssl_ecdh_curve secp521r1;
>
> I never used that curve, If there's no specific reason for secp521r1, try secp384r1 or leave it empty.
> ans see what whill happen.
>
> Andreas
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login