Welcome to Centmin Mod Community
Become a Member

Nginx Anyone here using Mozilla SSL Config > Nginx > Intermediate?

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by rdan, May 13, 2022.

  1. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    1:25 AM
    Mainline
    10.2
    https://ssl-config.mozilla.org/

    This config specifically:
    Code:
    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    
    Using that config on CMM, produce this erros on SSL Labs:
    upload_2022-5-13_4-30-4.png

     
  2. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    1:25 AM
    Mainline
    10.2
    Is that normal or expected?
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  4. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    1:25 AM
    Mainline
    10.2
    I switched back to the old configuration to quickly fix the red notice :).
    I assume no downside supporting old clients other than A+ ratings.
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    So you just want that older browser compatibility? Or to not see errors in SSLLabs check? If you don't have browsers that old from visitors, then it shouldn't impact your site.
     
  6. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    1:25 AM
    Mainline
    10.2
    This, having the intermediate config and no errors on SSLlab.
    But having the old config is the very safe route for now.
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    SSLLab errors you showed above aren't a problem as long as you don't have a lot of visitors from those old web browser versions.