Since few weeks, my webserver, Niginx, had a problem with TLS protocols version 1.1 & 1.2 :
-
When an user try to connect to my website, web browser and Nginx chose only TLS 1.0 for the conection.
-
in Nginx virtual host conf file, I mentionned to use TLS 1.0, 1.1 and 1.2 :
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers AES256-SHA256:AES256-SHA; ssl_prefer_server_ciphers on;
- Packages versions (newest for both) :
nginx version: nginx/1.4.2 TLS SNI support enabled configure
arguments: –prefix=/etc/nginx –sbin-path=/usr/sbin/nginx
–conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-log-path=/var/log/nginx/access.log –pid-path=/var/run/nginx.pid –lock-path=/var/run/nginx.lock –http-client-body-temp-path=/var/cache/nginx/client_temp –http-proxy-temp-path=/var/cache/nginx/proxy_temp –http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp –http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp –http-scgi-temp-path=/var/cache/nginx/scgi_temp –user=nginx –group=nginx –with-http_ssl_module –with-http_realip_module –with-http_addition_module –with-http_sub_module –with-http_dav_module –with-http_flv_module –with-http_mp4_module –with-http_gunzip_module –with-http_gzip_static_module –with-http_random_index_module –with-http_secure_link_module –with-http_stub_status_module –with-mail –with-mail_ssl_module –with-file-aio –with-cc-opt='-g -O2 -Wp,-D_FORTIFY_SOURCE=2' –with-ld-opt= –with-ipv6OpenSSL 1.0.1e 11 Feb 2013
-
Linux distrib : Debian 7.1 x64
-
Qualys ssl labs result
TLS 1.2 No
TLS 1.1 No
TLS 1.0 Yes
SSL 3 No
SSL 2 No
- I tried to reboot, update, noting. I checked nginx conf file for each virtual host : all have the same parameters for ssl_protocols.
What is my mistake ?
Thanks
haflinger
Best Answer
Without messing up the installed openssl version that comes with your system, you can try to build nginx with a custom openssl version. Specify the following option when building your nginx package. I do this with my custom rpm and the latest openssl version.
Once build like this, install only the nginx package on your server and try the ssllabs test again. It should now show support for more versions.