How does one specify a particular cipher suite for a nginx docker instance?

Question

I am running a newly built discourse docker image on Google Compute Engine. I converted that to use https using letsencrypt following the walk through and I get an A+ rating from ssllabs. However the scripting agent I'm using doesn't support either of the two TLS 1.0 cipher suites enabled [TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] and I'd like to add TLS-DHE-RSA-WITH-AES-256-CBC-SHA which is supported by the open source rebol3 fork ren-c.

I've modified my web.ssl.template.yml file from

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:\
ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:\
ECDHE-RSA-AES256-SHA;

to

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:\
ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:\
ECDHE-RSA-AES256-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA;

and rebuilt the app using

sudo ./launcher rebuild app

but this doesn't alter the cipher_suites available.

I'm now wondering if I have to alter the nginx.conf directly, wherever that is, instead of asking the discourse build script to do it ...

See [Server Fault](https://serverfault.com/) *(voted to migrate)* — HostileFork says dont trust SE, Jun 03 '17 at 00:37

score 1 · Accepted Answer · answered Jun 11 '17 at 06:47

Changing the line in /var/discourse/templates/web.ssl.template.yml

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:\
ECDHE-RSA-AES128-SHA256$RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA;

to

ssl_ciphers 'HIGH:!aNULL:!MD5';

changes the supported TLS 1.0 suites to

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp384r1 (eq. 7680 bits RSA)   FS   256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)    256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp384r1 (eq. 7680 bits RSA)   FS   128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)

and still gives an A+ rating from ssllabs.

score 0 · Answer 2 · answered Jun 05 '17 at 15:02

0

mkdir -p containers/templates
cp templates/web.ssl.template.yml containers/templates
fuss with the file
add containers/templates/web.ssl.template.yml to you app.yml file in the templates section
profit

answered Jun 05 '17 at 15:02

Sam Saffron

128,308
78
326
506

The web.ssl.template.yml is already in my app.yml as detailed above. Adding it again didn't make any difference :( – Graham Chiu Jun 06 '17 at 07:28

How does one specify a particular cipher suite for a nginx docker instance?

2 Answers2