Nginx – SSL/TLS Version in Nginx

httpsnginxopensslssltls

I installed Nginx and enabled SSL.

server {
  server_name vorb.de;
  listen      443;

  root        /var/www/vorb.de/pub;

  ssl         on;
  ssl_certificate     cert.pem;
  ssl_certificate_key cert.key;

  gzip        on;
  […]
}

Everything is working so far. The only thing that annoys me is that Chrome shows that the Server is using SSL 3.0 when you click on the lock/https icon. This version of SSL is deprecated (see https://vorb.de). When I visit an error page, everything is OK, since it shows TLS 1.0 being used (see https://vorb.de/non-existing-page). I am running Debian 6 Squeeze, Nginx 0.7.67 and OpenSSL 0.9.8o.

Do you know, why this happens?

Best Answer

I had similar problem, commenting below line helped fixing the error. Final code looked like below -

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers PROFILE=SYSTEM;

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

Best Answer

Related Solutions

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

SSL Certificate – How to Download SSL Certificate from a Website

Related Topic