3

I'm new to nginx and I just recently decided to make a change to the config file to redirect my applications from http to https using the return statement return 301 https://$host$request_uri;. This all worked fine until I noticed that we weren't receiving text messages via Twilio API. I decided to debug the issue and found that I was receiving an SSL/TLS Handshake Error.

Looking into the debugger I saw that they gave this as the possible cause of the issue:

Incompatible cipher suites in use by the client and the server. This would require the client to use (or enable) a cipher suite that is supported by the server.

Looking at the nginx config file, I noticed that there are no ciphers being used, which is probably the root of the problem and not because TLS isn't enabled looking at the config below:

server {
        listen      443 ssl http2 default_server;
        listen      [::]:443 ssl http2 default_server;
        server_name     localhost;

        ssl_certificate "/etc/nginx/ssl/domain-crt.txt";
        ssl_certificate_key "/etc/nginx/ssl/domain-key.txt";
        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

        ## More configuration below this...
    }

Twilio has a list of supported ciphers which can be found here, but I'm not sure how to do this within my config file. Am I supposed to use all of them since my protocols include TLSv1, TLSv1.1, and TLS1.2? Or do I only use one of those in the list. I'm really confused as to what I need to have set in my ssl_ciphers variable.

Also I read that having SSLv3 enabled in ssl_protocols is a bad idea. Can I just remove that from the ssl_protocols and save the config without it causing major issues?

If anyone could help me answer these questions, that would be very helpful. Thank You!

Michael
  • 1,454
  • 3
  • 19
  • 45

1 Answers1

4

Ciphers are being used by default and Nginx configure it by the version.

In version 1.0.5 and later, the default SSL ciphers are HIGH:!aNULL:!MD5. In versions 0.7.65 and 0.8.20 and later, the default SSL ciphers are HIGH:!ADH:!MD5. From version 0.8.19 the default SSL ciphers are ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM. From version 0.7.64, 0.8.18 and earlier the default SSL ciphers are ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP. See Nginx Docs for more information.

But you can also be explicit and choose the cipher you want to allow using: ssl_ciphers "cipher1 cipher2 ... cipherN"; For example - ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256"; to support only this specific ciphersuite. Regarding:

Also I read that having SSLv3 enabled in ssl_protocols is a bad idea. Can I just remove that from the ssl_protocols and save the config without it causing major issues?

The only major issue that it can cause is that a client using SSLv3 trying to connect your server will get rejected since it is not acceptable by your server (not supported by the config file). In any case it's Nginx default in some versions and shouldn't be the problem.

From Nginx Docs:

From versions 0.7.65 and 0.8.19 and later, the default SSL protocols are SSLv3, TLSv1, TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).

BarT
  • 317
  • 2
  • 10
  • This is good advice thank you. Do I just choose one of the ciphers that are listed on their website then? Or do I have to choose one for each of the SSL protocols? – Michael Jun 30 '20 at 12:58
  • You can choose one but then you will allow the client to use only this one, any other cipher will not be acceptable.. I think you should use a variety of ciphers so something like " HIGH:!aNULL:!MD5" will do the work. – BarT Jun 30 '20 at 13:11
  • HIGH means you handshake with the client on the highest cipher acceptable by both sides (server & client). !aNULL means you are not accepting authentication null cipher and it's make sense, and MD5 is another message digest algorithm. – BarT Jun 30 '20 at 13:16
  • Can I combine those with other ciphers? So if I did something like: ```HIGH:!aNULL:!MD5:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA```. Or can I not include multiple ciphers that way? Sorry for all the questions, I just want to make sure I do it right. – Michael Jun 30 '20 at 13:21
  • Yes you can do that, just need to verify that each cipher is valid. – BarT Jun 30 '20 at 14:05
  • Check if you see them in your openssl cipher options. command: `openssl ciphers -V ` – BarT Jun 30 '20 at 14:17