Hi,
I am testing our Plesk linux-server (Plesk 12.0.18 on RHEL 6.6 x64) for SSL high security configuration with Qualys SSL Labs reccomendations (https://www.ssllabs.com/ssltest/).
Best choise today is using Elliptic Curves Ciphers Suite for secure-connection negotiating, but I could not force plesk-contributed sw-nginx to using elliptic curves ciphers suite (sw-nginx-1.6.0-1.14051516.rhel6.x86_64):
when place ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDH+AESGCM; to nginx server and vhost configurations, then secure negotiation is not established.
Starting from RHEL6.5 Red Hat contribute openssl with EC ciphers - https://access.redhat.com/documenta...erprise_Linux/6/html-single/6.5_Release_Notes (openssl-1.0.1e-30.el6_6.4.x86_64)
OpenSSL on live system shows these ciphers:
openssl ciphers -v | grep ECDHE
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
...
I think, the problem is that the sw-nginx is compiled with old openssl binaries without elliptic curves support.
Can Plesk development team recompille and release updated sw-nginx package
or
Сan use genuine nginx package from official nginx repository instead of sw-nginx package?
Thanks for reply!
I am testing our Plesk linux-server (Plesk 12.0.18 on RHEL 6.6 x64) for SSL high security configuration with Qualys SSL Labs reccomendations (https://www.ssllabs.com/ssltest/).
Best choise today is using Elliptic Curves Ciphers Suite for secure-connection negotiating, but I could not force plesk-contributed sw-nginx to using elliptic curves ciphers suite (sw-nginx-1.6.0-1.14051516.rhel6.x86_64):
when place ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDH+AESGCM; to nginx server and vhost configurations, then secure negotiation is not established.
Starting from RHEL6.5 Red Hat contribute openssl with EC ciphers - https://access.redhat.com/documenta...erprise_Linux/6/html-single/6.5_Release_Notes (openssl-1.0.1e-30.el6_6.4.x86_64)
OpenSSL on live system shows these ciphers:
openssl ciphers -v | grep ECDHE
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
...
I think, the problem is that the sw-nginx is compiled with old openssl binaries without elliptic curves support.
Can Plesk development team recompille and release updated sw-nginx package
or
Сan use genuine nginx package from official nginx repository instead of sw-nginx package?
Thanks for reply!