Welcome to Centmin Mod Community
Register Now

Nginx SSL How can I support back SSL V3?

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by RoldanLT, Mar 23, 2017.

  1. RoldanLT

    RoldanLT Well-Known Member

    3,981
    966
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,331
    Local Time:
    10:53 PM
    1.11
    10.2
    With the current Nginx 1.11, Can I do it?
    I have this website that still need to support IE 6,7,8 on Windows XP, and Android 2.x due to large audience under that.

    But even using this config doesn't work:
    Code:
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP';
        ssl_prefer_server_ciphers on;
    upload_2017-3-23_3-8-49.png
     
  2. RoldanLT

    RoldanLT Well-Known Member

    3,981
    966
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,331
    Local Time:
    10:53 PM
    1.11
    10.2
    Or is it because I declare? sha256 during the creation of CSR?
     
  3. RoldanLT

    RoldanLT Well-Known Member

    3,981
    966
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,331
    Local Time:
    10:53 PM
    1.11
    10.2
    This is missing on nginx -V:
    --with-openssl-opt="enable-tlsext"

    Is that the reason?
    How to enable that?
     
  4. eva2000

    eva2000 Administrator Staff Member

    31,025
    6,927
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,433
    Local Time:
    12:53 AM
    Nginx 1.13.x
    MariaDB 5.5
    pointless now, modern browsers disabled SSLv3 support just get users on old OS to switch to Firefox browsers

    but yes old OSes don't support SHA256 as well https://community.centminmod.com/threads/chrome-browser-39-sunsetting-sha-1-ssl-signatures.1283/

    Microsoft also deprecated SHA-1 algorithms too
     
    Last edited: Mar 23, 2017
    • Informative Informative x 1