Welcome to Centmin Mod Community
Become a Member

Nginx SSL How can I support back SSL V3?

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by rdan, Mar 23, 2017.

  1. rdan

    rdan Premium Member Premium Member

    4,415
    1,059
    113
    May 25, 2014
    Ratings:
    +1,542
    Local Time:
    7:35 PM
    Mainline
    10.2
    With the current Nginx 1.11, Can I do it?
    I have this website that still need to support IE 6,7,8 on Windows XP, and Android 2.x due to large audience under that.

    But even using this config doesn't work:
    Code:
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP';
        ssl_prefer_server_ciphers on;
    upload_2017-3-23_3-8-49.png
     
  2. rdan

    rdan Premium Member Premium Member

    4,415
    1,059
    113
    May 25, 2014
    Ratings:
    +1,542
    Local Time:
    7:35 PM
    Mainline
    10.2
    Or is it because I declare? sha256 during the creation of CSR?
     
  3. rdan

    rdan Premium Member Premium Member

    4,415
    1,059
    113
    May 25, 2014
    Ratings:
    +1,542
    Local Time:
    7:35 PM
    Mainline
    10.2
    This is missing on nginx -V:
    --with-openssl-opt="enable-tlsext"

    Is that the reason?
    How to enable that?
     
  4. eva2000

    eva2000 Administrator Staff Member

    37,217
    8,128
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,514
    Local Time:
    9:35 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    pointless now, modern browsers disabled SSLv3 support just get users on old OS to switch to Firefox browsers

    but yes old OSes don't support SHA256 as well https://community.centminmod.com/threads/chrome-browser-39-sunsetting-sha-1-ssl-signatures.1283/

    Microsoft also deprecated SHA-1 algorithms too
     
    Last edited: Mar 23, 2017
    • Informative Informative x 1
..