I have a device that is trying to connect with the following Client Hello
captured from Wireshark:
It looks like the only Cipher Suite it supports is ECDHE-ECDSA-AES128-GCM-SHA256
, I'm therefor trying to enable this with nginx
.
events {
}
http {
server {
listen 443 ssl;
ssl_certificate /etc/nginx/certs/nginx.crt;
ssl_certificate_key /etc/nginx/certs/nginx.key;
server_name xxx.yyy.zzz;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256';
}
}
I don't get an error when running nginx
with that config:
$ docker run -p 443:443 -v (pwd):/etc/nginx/certs -v (pwd)/nginx.conf:/etc/nginx/nginx.conf nginx
However, the list of supported ciphers comes back null with sslscan
:
$ sslscan localhost
Version: 1.11.12-static
OpenSSL 1.0.2f 28 Jan 2016
ERROR: Could not open a connection to host localhost (::1) on port 443.
Connected to 127.0.0.1
Testing SSL server localhost on port 443 using SNI name localhost
TLS Fallback SCSV:
Server supports TLS Fallback SCSV
TLS renegotiation:
Session renegotiation not supported
TLS Compression:
Compression disabled
Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed
Supported Server Cipher(s):
$
I'm not an ops guy, so I'm not familiar with setting up servers. I just need to get this IoT device to connect to my server.
So how can I go about enabling the ECDHE-ECDSA-AES128-GCM-SHA256
cipher suite with nginx?
Best Answer
You can view available ssl_ciphers using:
To get a more "eye friendly" output try:
to check if your desired cipher is available to nginx.