Welcome to Centmin Mod Community
Register Now

SSL Problem with Forward Secrecy in SSLLabs Test

Discussion in 'Domains, DNS, Email & SSL Certificates' started by CarlosMST, Sep 30, 2014.

  1. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    8:09 AM
    Hello @eva2000 I have a problem with my SSL Test Result.
    I followed your guide Nginx HTTPS / SSL Google SPDY configuration
    Here is the first part of my current nginx vhost configuration:
    Code:
    # FIRST BLOCK
    # Redireccionar peticion http (puerto 80) a "https sin wwww"
    server {
      server_name mydomain.net www.mydomain.net;
      return 301 https://mydomain.net$request_uri;
    }
    
    # SECOND BLOCK
    # Redireccionar peticion https (puerto 443) a "https sin wwww"
    server {
      listen 443;
      ssl on;
      ssl_certificate      /usr/local/nginx/conf/ssl/mydomain/ssl-bundle.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/mydomain/ssl.key;
      server_name www.mydomain.net;
      return 301 https://mydomain.net$request_uri;
    
      # Bloquear paises
      if ($allow_visit = no) {
        return 403;
      }
    }
    
    # THIRD BLOCK
    # El resto de la configuracion
    
    # https SSL SPDY vhost
    server {
            listen 443 ssl spdy;
                server_name mydomain.net;
    
            ssl_certificate      /usr/local/nginx/conf/ssl/mydomainnet/ssl-bundle.crt;
            ssl_certificate_key  /usr/local/nginx/conf/ssl/mydomainnet/ssl.key;
            ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
            ssl_session_cache      shared:SSL:20m;
            ssl_session_timeout  4h;
            ssl_session_tickets on;
            ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!kEDH:!EDH:!CAMELLIA;
            ssl_prefer_server_ciphers   on;
            add_header Alternate-Protocol  443:npn-spdy/3;
            add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
            #add_header  X-Content-Type-Options "nosniff";
            #add_header X-Frame-Options DENY;
            # nginx 1.5.9+ or higher
            # http://nginx.org/en/docs/http/ngx_http_spdy_module.html#spdy_headers_comp
            # http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
            spdy_headers_comp 1;
            ssl_buffer_size 4k;
    
            # enable ocsp stapling
            ssl_stapling on;
            ssl_stapling_verify on;
            #ssl_trusted_certificate /usr/local/nginx/conf/ssl/mydomainnet/ssl-trusted.crt;
            resolver 8.8.8.8 valid=300s;
    I have ssl_ciphers configured and ssl_prefer_server_ciphers on; I think this is for preferred ciphers order, but the SSL labs test not recognize this, my test is here:
    ssl1.png
    ssl2.png


    The test mark the server dont support Forward Secrecy and the server has no preference.
    I tried to change the order of the configuration lines but no results.
    Could you help me please?
    Thanks in advance.
     
  2. eva2000

    eva2000 Administrator Staff Member

    53,178
    12,112
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,647
    Local Time:
    11:09 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    nice read at SSL - HTTPS as a Google ranking signal | Centmin Mod Community

    I haven't checked those cipher orders in a while as I use a custom set for Cloudflare RC4 Kill patch and for OpenSSL 1.02-beta3 chacha20_poly1305 cipher support.

    i believe the ssllab error of no server cipher preference, it could be due to your SECOND BLOCK which is listening on 443 which doesn't have all SSL cipher and other SSL settings
    problem block
    Code:
    # SECOND BLOCK
    # Redireccionar peticion https (puerto 443) a "https sin wwww"
    server {
      listen 443;
      ssl on;
      ssl_certificate      /usr/local/nginx/conf/ssl/mydomain/ssl-bundle.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/mydomain/ssl.key;
      server_name www.mydomain.net;
      return 301 https://mydomain.net$request_uri;
    
      # Bloquear paises
      if ($allow_visit = no) {
        return 403;
      }
    }
     
    Last edited: Sep 30, 2014
  3. rdan

    rdan Well-Known Member

    5,439
    1,397
    113
    May 25, 2014
    Ratings:
    +2,186
    Local Time:
    9:09 PM
    Mainline
    10.2
  4. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    8:09 AM
  5. rdan

    rdan Well-Known Member

    5,439
    1,397
    113
    May 25, 2014
    Ratings:
    +2,186
    Local Time:
    9:09 PM
    Mainline
    10.2
    We're using that on our Live Forums.
     
  6. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    8:09 AM
    @eva2000 @RoldanLT how to implement Cloudflare RC4 kill patch on my centminmod server?
    Cloudflare supports SSL websites for free?
    What is the cost of this service?
    Thanks.
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,178
    12,112
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,647
    Local Time:
    11:09 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    instructions are outlined in @RoldanLT linked post at Nginx - Nginx ssl cipher suite | Centmin Mod Community

    it's not Cloudflare service so no cost, it's just a patch to OpenSSL which Cloudflare made which I applied to Centmin Mod's Nginx OpenSSL static version - see
     
  8. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    8:09 AM