I am using Let's Encrypt to install a free TLS/SSL certificate in my server. I followed the suggestion of Mozilla SSL Configuration Generator and configured nginx like this:
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
The problem is that I need Java 7 to communicate with the server and it doesn't work with the configuration above.
When I submit my site to ssllabs I get the following message:
Java 7u25 Server sent fatal alert: handshake_failure
If I just comment the ssl_ciphers line in nginx configuration, than the communication with Java 7 starts to work.
# After commenting the line below it works
# ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
So I get the following message from ssllabs:
Java 7u25 RSA 2048 (SHA256) TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
I would not like to let the ssl_ciphers line commented, because nginx would use its default configuration, which is less secure.
I would like just to add the cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA to the ssl_ciphers list.
Is it possible? How to do it?
From OpenSSL's cipher list or this nice table from testssl.sh,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
corresponds toECDHE-RSA-AES128-SHA
. So you'd set yourssl_ciphers
directive tossl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-SHA";