How to add ssl cipher to ssl_ciphers in nginx

2019-08-17 02:26发布

I am using Let's Encrypt to install a free TLS/SSL certificate in my server. I followed the suggestion of Mozilla SSL Configuration Generator and configured nginx like this:

ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

The problem is that I need Java 7 to communicate with the server and it doesn't work with the configuration above.

When I submit my site to ssllabs I get the following message:

Java 7u25   Server sent fatal alert: handshake_failure

If I just comment the ssl_ciphers line in nginx configuration, than the communication with Java 7 starts to work.

# After commenting the line below it works
# ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

So I get the following message from ssllabs:

Java 7u25   RSA 2048 (SHA256)   TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

I would not like to let the ssl_ciphers line commented, because nginx would use its default configuration, which is less secure.

I would like just to add the cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA to the ssl_ciphers list.

Is it possible? How to do it?

1条回答
男人必须洒脱
2楼-- · 2019-08-17 03:18

From OpenSSL's cipher list or this nice table from testssl.sh, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA corresponds to ECDHE-RSA-AES128-SHA. So you'd set your ssl_ciphers directive to

ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-SHA";

查看更多
登录 后发表回答