Nginx Nginx ssl cipher suite

i think depending on cert some roots would be required if the browser doesn't contain a copy https://www.namecheap.com/support/k...x/886/38/chained-and-single-root-certificates and i don't think older browser problem was cert type related but your chosen ciphers

but for @BamaStangGuy your root is already in trust store so not needed AFAIK

Yeah Comodo EssentialSSL has 5 files. While Comodo Positive SSL as well as Comodo SSL/Wildcard SSL all have 3 total

Code:

» ComodoSSL / ComodoSSL Wildcard / ComodoSSL UCC
» Root: AddTrustExternalCARoot.crt
» Intermediate: ComodoSSLCA.crt
» End-Entity/Domain Certificate

» EssentialSSL / Free Certificate
» Root: AddTrustExternalCARoot.crt
» Intermediate 1: UTNAddTrustSGCCA.crt
» Intermediate 2: ComodoUTNSGCCA.crt
» Intermediate 3: EssentialSSLCA_2.crt
» End-Entity/Domain Certificate

» PositiveSSL
» Root: AddTrustExternalCARoot.crt
» Intermediate: PositiveSSLCA2.crt
» End-Entity/Domain Certificate 

 

Yeah quite a few.. I just stick with Wildcard certs myself - if you need to protect >5 subdomains, then wildcard SSL work out cheaper than individual SSL for each subdomain

 

This forum's Nginx and OpenSSL configuration has been updated to Nginx 1.7.3 and Centmin Mod Nginx's static compiled OpenSSL 1.0.1h has been patched with Cloudflare RC4 Kill patched OpenSSL version outlined at https://community.centminmod.com/threads/nginx-ssl-cipher-suite.714/#post-3341

• What cipher suites does CloudFlare use for SSL?
• Killing RC4 (softly)
• Killing RC4: The Long Goodbye

Nginx 1.7.3 updated

Code:

nginx -V
nginx version: nginx/1.7.3
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC)
TLS SNI support enabled
configure arguments: --with-cc-opt='-I/svr-setup/staticlibssl/include -I/usr/include' --with-ld-opt='-L/svr-setup/staticlibssl/lib -Wl,-rpath -lssl -lcrypto -ldl -lz' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_ssl_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module --with-http_secure_link_module --with-http_flv_module --with-http_realip_module --with-http_geoip_module --with-openssl-opt=enable-tlsext --add-module=../ngx-fancyindex-ngx-fancyindex --add-module=../ngx_cache_purge-2.1 --add-module=../headers-more-nginx-module-0.25 --add-module=../nginx-accesskey-2.0.3 --add-module=../nginx-http-concat-master --with-http_dav_module --add-module=../nginx-dav-ext-module-0.0.3 --with-openssl=../openssl-1.0.1h --with-libatomic --with-pcre=../pcre-8.35 --with-pcre-jit --with-http_spdy_module --add-module=../ngx_pagespeed-release-1.8.31.4-beta

You can see the patch working on IE8 as it skips all RC4 preferred and prioritised SSL ciphers in it's profile at https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=8&platform=XP and opts for TLS_RSA_WITH_3DES_EDE_CBC_SHA

Handshake Simulation

 

Added as an option in .08 beta but disabled by default as it's unknown when the next openssl 1.01.x build will break and not be compatible with the patch - committed to .08 beta on Github https://github.com/centminmod/centminmod/commits/123.08beta01 This time no alternate zips it's easier to manage if work from Github for .08 beta01 and .08 centos 7 beta 01 branches

 

looking better

 

.07 stable only gets bug fix updates now. Newer features such as this go into .08 beta+ for now

 

Google led me to RapidSSL - Knowledge Center - SSL Certificates Support - but asking RapidSSL support probably better

 

the patch doesn't work for me with 1.02a so ignore it might be for 1.02 only

openssl 1.0.2a : Chacha20-Poly1305 patch failed. · Issue #11 · cloudflare/sslconfig · GitHub

 

As i said it' doesn't work at all openssl 1.0.2a : Chacha20-Poly1305 patch failed. · Issue #11 · cloudflare/sslconfig · GitHub