How to enable back TLSv1 and TLSv1.1 on nginx? - ssl

My nginx confid files looks like:
server {
listen 80;
listen [::]:80;
server_name hostserver.ru www.hostserver.ru;
return 301 https://hostserver.ru$request_uri;
server_tokens off;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name hostserver.ru www.hostserver.ru;
ssl_certificate /etc/letsencrypt/live/hostserver.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hostserver.ru/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-R$
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000" always;
ssl_stapling on;
ssl_stapling_verify on;
root /var/www/html;
index index.html index.htm;
server_tokens off;
... some location stuff...
}
Ufortunatelly, TLS1.2 not supported by Android 4.0-4.3 and I've chanched config:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
But after using SSLTest it shows me report that TLS1 and TLS1.1 are not supported.
Did I missed smth to change in config files?
Thanks in advance.
UPDATE: I've checked certificates by command:
openssl s_client -tls1 (and so on) -connect example.org:443 < /dev/null
and certificate enabled for each protocol.

I don't know which ciphers work with TLSv1 and TLSv1.1. But I notice from testing sites with SSLTest, that the GCM ciphers are listed against TLSv1.2 only.
You may need to use a more inclusive list of ciphers.
For example:
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

Related

NET::ERR_SSL_OBSOLETE_VERSION with Chrome

I have a node app hosted in AWS ec2 and installed letsencrypt certificates. When I am trying to access the API, it is giving error
Connection - obsolete connection settings
The connection to this site is encrypted and authenticated using TLS 1.0, ECDHE_RSA, and AES_256_CBC with HMAC-SHA1.
TLS 1.0 is obsolete. Enable TLS 1.2 or later.
AES_256_CBC is obsolete. Enable an AES-GCM-based cipher suite.
SSL Certificates shows correctly from letsencrypt
I have infact set TLS 1.2 AES-GCM-based cipher in config file. my nginx version is
nginx version: nginx/1.16.1
OpenSSL 1.0.2k-fips 26 Jan 2017
Any pointers?
here is my nginx.conf file snippet
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server {
listen 80;
listen 443 ssl;
server_name localhost;
root /usr/share/nginx/html;
ssl_certificate /opt/ssl/cacert.pem;
ssl_certificate_key /opt/ssl/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols SSLv2 TLSv1.2 TLSv1.1 TLSv1;
#ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#charset koi8-r;
}
server {
listen 443 ssl http2;
server_name aws.qureme.co.in;
root /usr/share/nginx/html;
ssl_certificate /etc/letsencrypt/live/aws.qureme.co.in/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/aws.qureme.co.in/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
}
}
The problem was when I set a different protocol and ciphers for 2 server Block( one for IP Address and another phone for domain name.
THANKS A LOT FOR STEFFEN ULLRICH for the input. Here is the modifed spec
server {
listen 80;
listen 443 ssl;
server_name localhost;
root /usr/share/nginx/html;
ssl_certificate /opt/ssl/cacert.pem;
ssl_certificate_key /opt/ssl/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1 TLSv1.3;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_prefer_server_ciphers on;
}
server {
listen 443 ssl http2;
server_name aws.qureme.co.in;
root /usr/share/nginx/html;
ssl_certificate /etc/letsencrypt/live/aws.qureme.co.in/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/aws.qureme.co.in/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
}

How to I override nginx ssl protocols?

I am web developer using nginx 1.6.2 ver using openssl 1.0.2h
I manage a lot of domains.
And very interested in security.
So My default nginx ssl setting is right here.
default.conf
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/nginx/SSL/***.crt;
ssl_certificate_key /etc/nginx/SSL/***.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
location ~ {
root /etc/nginx/html;
index index.php;
return 470;
include /etc/nginx/sites-enabled/error_config;
}
}
as you can see, I used only ssl_protocols TLSv1, TLSv1.1, TLSv1.2
and I want to one of domains, getssltest.ga
Want to use only TLSv 1.1 & TLSv 1.2
But I tried to change virtual host configure file any way.
However, just adding 'ssl_protocols TLSv1.1 TLSv1.2;' doesn't validate.
like above this.
server {
listen 443;
server_name getssltest.ga www.getssltest.ga;
ssl_protocols TLSv1.1 TLSv1.2;
ssl on;
ssl_certificate **;
ssl_certificate_key **;
include /etc/nginx/sites-enabled/ssl_config;
proxy_http_version 1.1;
I can not find the way. ( I could check the protocols in here https://www.ssllabs.com/ssltest/analyze.html?d=getssltest.ga)
How can I override ssl_protocol to one of my virtual hosts?
Thx.
You can look it into documentation http://nginx.org/en/docs/http/configuring_https_servers.html, configuration should be how that:
server {
listen 443 ssl;
server_name getssltest.ga www.getssltest.ga;
ssl_certificate *;
ssl_certificate_key *;
ssl_protocols TLSv1.1 TLSv1.2;
...
}

SSL not allowed in two configs after nginx/1.11.4 / Ubu 16.04 update

This was working prior to nginx/1.11.4 and update to Ubuntu 16.04 (and it was on 1.11.x before). There are two sites configured to use SSL on a virtual IP (libvirt). When that didn't work (somehow it always landed on the first config alphabetically with SSL), I changed it to use two different virtual IPs and changed libvirt routing two real IPs to 192.168.122.10 and the other to 192.168.122.11, respectively. Now it's simply giving a handshake failure.
server {
listen 192.168.122.11:443 ssl http2;
server_name www.domain2.org domain2.org;
access_log /var/log/nginx/domains/domain2.org.log;
error_log /var/log/nginx/domains/domain2.org.err;
root /app/domain2.org/html;
ssl on;
ssl_certificate /etc/nginx/ssl/domain2.org.crt;
ssl_certificate_key /etc/nginx/ssl/domain2.org.key;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_ecdh_curve prime256v1;
ssl_prefer_server_ciphers on;
include /etc/nginx/include/php.conf;
include /etc/nginx/include/restrictions.conf;
}
server {
listen 192.168.122.10:443 ssl http2;
server_name domain1.com www.domain1.com *.domain1.com;
access_log /var/log/nginx/domains/domain1.com.log;
error_log /var/log/nginx/domains/domain1.com.err;
root /app/domain1.com/html;
ssl_certificate /etc/nginx/ssl/domain1.cert;
ssl_certificate_key /etc/nginx/ssl/domain1.pkey;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_ecdh_curve prime256v1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
include /etc/nginx/include/restrictions.conf;
include /etc/nginx/include/php.conf;
}
This is just the standard nginx from nginx.org packaging, and yes it has SNI. I have no idea why this would suddenly stop working.
root#production:/etc/nginx/conf.d# nginx -V
nginx version: nginx/1.11.4
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.2)
built with OpenSSL 1.0.2g-fips 1 Mar 2016 (running with OpenSSL 1.0.2g 1 Mar 2016)
TLS SNI support enabled

SSL Chain Incomplete

After creating 7 SSL Certificates with Let's Encrypt, I have stumbled upon this error. I had setup all my configs correct and I scanned my whole site for SSL Vulnerabilities on [SSLLabs.com][1] and it told me that my server's certificate chain is incomplete.
The grading picture:
My SSL Grading
The error:
The error I got
I am running CentOS Linux release 7.2.1511 (Core) as a Reverse Proxy in NginX. And my configuration is:
# GhostAntiDDoS
server {
listen 443 ssl;
server_name ghostantiddos.com *.ghostantiddos.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/ghostantiddos.com/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/ghostantiddos.com/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
add_header Strict-Transport-Security max-age=15768000;
# Bulletin
#limit_conn conn_limit_per_ip 10;
#limit_req zone=req_limit_per_ip burst=5 nodelay;
client_body_timeout 5s;
client_header_timeout 5s;
....
The rest of the parts are hidden as they will expose my origin.
If anyone could assist me in this, I'd be great!
Replace
certificate /etc/letsencrypt/live/ghostantiddos.com/cert.pem
by
certificate /etc/letsencrypt/live/ghostantiddos.com/fullchain.pem
then test again with https://ssllabs.com

Is there any way to support ssl while having mass virtual hosts?

Is there anyway to have ssl configured for dynamic mass virtual hosts?
ssl_certificate ssl/$host/mysite.com.crt;
ssl_certificate_key ssl/$host/mysite.com.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+EXP;
ssl_prefer_server_ciphers on;
server {
listen 80;
server_name $host;
root /var/www/html/$host;
}
Using something like this to select the right ssl cert for the host.
I have several thousand sites that need a different document roots and some need ssl capability .