Nginx – Cipher String Syntax

nginxssl

In an nginx configuration file, you might configure a list of SSL ciphers like this

ssl_ciphers                HIGH:!aNULL:!eNULL:!LOW:!ADH:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;

What's the syntax of this cipher string? That is, I know (or think I know, correct me if I'm wrong) that this string is meant to provide a list of possible SSL ciphers, as well as provide a priority for them. What the documentation is less great at is explaining the format of this string.

Specific questions

Is the ! a negation? That is, does !DSS means don't use DSS? Or is !DSS the same of a cipher?
Are the : characters separators? That is is teh above a list of ciphers "HIGH, !aNULL, !eNULL, etc…", or does the : mean something else
Are HIGH and LOW the same of ciphers, or are they special meta-directives of some kind
Not pictured above, but I've seen strings like this AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:. Are the - characters part of the cipher name, or do they have a special meaning?

Is there a resource that explains how this string works, or is this a case where the people expected to work with the string are also expected to read the nginx source to figure out how it works?

Best Answer

This syntax is from OpenSSL. See CIPHER LIST FORMAT.

Further down it lists different ciphers and these meta ciphers like HIGH

Excerpt:

The cipher list consists of one or more cipher strings separated by colons. Commas or spaces are also acceptable separators but colons are normally used.

The actual cipher string can take several different forms.

It can consist of a single cipher suite such as RC4-SHA.

It can represent a list of cipher suites containing a certain algorithm, or cipher suites of a certain type. For example SHA1 represents all ciphers suites using the digest algorithm SHA1 and SSLv3 represents all SSL v3 algorithms.

Lists of cipher suites can be combined in a single cipher string using the + character. This is used as a logical and operation. For example SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms.

Each cipher string can be optionally preceded by the characters !, - or +.

If ! is used then the ciphers are permanently deleted from the list. The ciphers deleted can never reappear in the list even if they are explicitly stated.

If - is used then the ciphers are deleted from the list, but some or all of the ciphers can be added again by later options.

If + is used then the ciphers are moved to the end of the list. This option doesn't add any new ciphers it just moves matching existing ones.

...

Related Solutions

Nginx has ssl module, but thinks it doesn’t

You are missing the SSL on directive.

http://wiki.nginx.org/HttpSslModule

Nginx/Apache: set HSTS only if X-Forwarded-Proto is https

You could have multiple server blocks. So just add new server block for domains that need HSTS.

server {
    listen xx.xx.xxx.xxx:443 ssl default_server;

    # all ssl stuff
    # and other directives
}

server {
    listen xx.xx.xxx.xxx:443 ssl;
    server_name example.com other.example.com;

    # all ssl stuff
    # and other directives with HSTS enabled
}

Here first block will handle all https connections except example.com and other.example.com.

And you don't need ssl on directive if you have ssl flag in listen.

EDIT

There is another solution with only one server block:

map $scheme:$host $hsts_header {
    default "";
    https:example.com "max-age=31536000";
    https:other.example.com "max-age=31536000";
}

server {
    server_tokens off;

    listen xx.xx.xxx.xxx:80;
    listen xx.xx.xxx.xxx:443 ssl;

    ssl_certificate /etc/ssl/foo.crt;
    ssl_certificate_key /etc/ssl/private/foo.key;

    ssl_session_timeout 10m;

    # ... other ssl stuff

    location / {
        proxy_pass http://127.0.0.1:81;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header Host $host;
        add_header X-XSS-Protection "1; mode=block";
        add_header Strict-Transport-Security $hsts_header;
    }
}

We use map to define HSTS header value and use the fact, than nginx will not add header with empty value.

Best Answer

Related Solutions

Nginx has ssl module, but thinks it doesn’t

Nginx/Apache: set HSTS only if X-Forwarded-Proto is https

Related Topic