Resolved nginx HTTP/2 support cipher problems

[danami]

It seems that enabling nginx HTTP/2 support may break SSL on a lot of devices. Plesk generates its own cypher suite entries in /etc/nging/conf.d/ssl.conf

Command to enable:

/usr/local/psa/bin/http2_pref enable

Testing was done using ssllabs
https://www.ssllabs.com

Please take a look at the before and after screenshots. Is this normal behavior ?

 

[Lloyd_mcse]

Try the Qualys cipher list...

/etc/nginx/conf.d/ssl.conf

ssl_ciphers             EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;

That should help
Regards

Lloyd

 

[danami]

@Lloyd_mcse unfortunately using that cipher suite lowers the score to a B because weak ciphers are included. Is there no way to keep the same grading with nginx HTTP/2 enabled ?

 

[danami]

It looks like this works. Only old java and IE6 and IE8 on XP doesn't work (which I don't care about):

ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;

 

[Lloyd_mcse]

Oh sorry the previous one included RC4, I get an A or A+ using...

ssl_ciphers                      EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;

I hope it helps
Regards

Lloyd

 

[trialotto]

@danami, @Lloyd_mcse

You guys have stumbled upon a problem or a major inconvenience of the http2_pref script: it does change the cipher suite.

Best way to resolve this is

- NOT: adding some cipher suite, found somewhere online (most of them are really not thought through)

- OK: run the pci_compliance_resolver utility from the command line, after running the http2_pref command

- EXCELLENT: create a bespoke cipher suite, exactly satisfying the needs on your server, since (on the one hand) not all ciphers are required and (on the other hand) the best thing to do is to keep a compact cipher suite, with explicit exclusion of specific ciphers.

Note the following (general) remarks:

a) it is logical and common behaviour that activation of the HTTP/2 protocol support will result in TLS versions lower than 1.2 not being supported,

b) the before mentioned logic is primarily related to the OpenSSL version (and only secundary related to HTTP/2 support in Nginx), with

- Nginx support for HTTP/2 requiring the ALPN (Application-Layer Protocol Negotiation) TLS extension, which is only supported as of OpenSSL version 1.0.2 (latest stable version),
- OpenSSL version 1.0.2 (and/or the OS vendor compiled packages) primarily supporting TLS 1.2 with ALPN,
- lower TLS versions (read: TLS < 1.2) not leading to HTTP/2 based connections with the Nginx reverse proxy,

and the above simply implies that Nginx does not communicate via the HTTP/2 protocol, if the concerning client implementation is requiring lower TLS versions for the handshake process.

c) it is, at least from the perspective of security, not recommended to allow lower TLS versions in the case that HTTP/2 support is enabled, since that

- could force specific client implementations (read: modern mainstream browsers, amongst others) to use TLS < 1.2 (this scenario does not really happen often)
- would allow client implementations, requiring TLS < 1.2, connect to the Nginx reverse proxy, which is not a problem on itself, but does raise the question: why enable HTTP/2?


In short, it seems to be logical to disable ciphers for lower TLS versions, if HTTP/2 support is enabled.

The words "seems logical" are entirely correct, since in my humble opinion it is rather strange that activation of HTTP/2 protocol only has effect for some client implementations.

Regards.....

 

[trialotto]

@Lloyd_mcse and @danami,

I will send you both a PM, with respect to the topic of cipher suites.

Hopefully that can lead to some improvements in the default settings of Nginx, since they are really open to discussion (quite an understatement).

Regards.....

 

[PriyanA]

Followed both @Lloyd_mcse and @trialotto's instructions.

But stilll not able to browse any of HTTPS contain on my Android Phone v4.4.4.

#/usr/local/psa/bin/http2_pref enable

# /usr/local/psa/admin/bin/pci_compliance_resolver --enable all
Ciphers and protocols were not changed for 'nginx' because of custom configuration is used.

SUCCESS: Server preferences are successfully updated
WARNING:Ignoring unsuppored protocol
/etc/courier-imap/imapd-ssl: line 218: TLSv1.1: command not found
/etc/courier-imap/imapd-ssl: line 218: TLSv1.1: command not found
/etc/courier-imap/imapd-ssl: line 218: TLSv1.1: command not found
/etc/courier-imap/imapd-ssl: line 218: TLSv1.1: command not found
/etc/courier-imap/imapd-ssl: line 218: TLSv1.1: command not found
/etc/courier-imap/imapd-ssl: line 218: TLSv1.1: command not found
/etc/courier-imap/imapd-ssl: line 218: TLSv1.1: command not found
/etc/courier-imap/imapd-ssl: line 218: TLSv1.1: command not found
/etc/courier-imap/imapd-ssl: line 218: TLSv1.1: command not found
/etc/courier-imap/imapd-ssl: line 218: TLSv1.1: command not found
/etc/courier-imap/imapd-ssl: line 218: TLSv1.1: command not found
/etc/courier-imap/imapd-ssl: line 218: TLSv1.1: command not found
/etc/courier-imap/pop3d-ssl: line 343: TLSv1.1: command not found
/etc/courier-imap/pop3d-ssl: line 343: TLSv1.1: command not found
/etc/courier-imap/pop3d-ssl: line 343: TLSv1.1: command not found
/etc/courier-imap/pop3d-ssl: line 343: TLSv1.1: command not found
/etc/courier-imap/pop3d-ssl: line 343: TLSv1.1: command not found
/etc/courier-imap/pop3d-ssl: line 343: TLSv1.1: command not found
/etc/courier-imap/pop3d-ssl: line 343: TLSv1.1: command not found
/etc/courier-imap/pop3d-ssl: line 343: TLSv1.1: command not found
/etc/courier-imap/pop3d-ssl: line 343: TLSv1.1: command not found
/etc/courier-imap/pop3d-ssl: line 343: TLSv1.1: command not found
/etc/courier-imap/pop3d-ssl: line 343: TLSv1.1: command not found
/etc/courier-imap/pop3d-ssl: line 343: TLSv1.1: command not found


/etc/courier-imap/imapd-ssl: line 218: TLSv1.1: command not found
/etc/courier-imap/imapd-ssl: line 218: TLSv1.1: command not found
/etc/courier-imap/imapd-ssl: line 218: TLSv1.1: command not found
/etc/courier-imap/imapd-ssl: line 218: TLSv1.1: command not found
/etc/courier-imap/imapd-ssl: line 218: TLSv1.1: command not found
/etc/courier-imap/imapd-ssl: line 218: TLSv1.1: command not found
/etc/courier-imap/imapd-ssl: line 218: TLSv1.1: command not found
/etc/courier-imap/imapd-ssl: line 218: TLSv1.1: command not found
/etc/courier-imap/imapd-ssl: line 218: TLSv1.1: command not found
/etc/courier-imap/imapd-ssl: line 218: TLSv1.1: command not found
/etc/courier-imap/pop3d-ssl: line 343: TLSv1.1: command not found
/etc/courier-imap/pop3d-ssl: line 343: TLSv1.1: command not found
/etc/courier-imap/pop3d-ssl: line 343: TLSv1.1: command not found
/etc/courier-imap/pop3d-ssl: line 343: TLSv1.1: command not found
/etc/courier-imap/pop3d-ssl: line 343: TLSv1.1: command not found
/etc/courier-imap/pop3d-ssl: line 343: TLSv1.1: command not found
/etc/courier-imap/pop3d-ssl: line 343: TLSv1.1: command not found
/etc/courier-imap/pop3d-ssl: line 343: TLSv1.1: command not found
/etc/courier-imap/pop3d-ssl: line 343: TLSv1.1: command not found
/etc/courier-imap/pop3d-ssl: line 343: TLSv1.1: command not found

 

[trialotto]

@PriyanA

Note that Courier (IMAP) is not affected by Nginx or any changes of Nginx settings, including the case in which HTTP/2 support is activated for Nginx.

At least, as far as I know of.

So, what you should do is

a) have a look at the files /etc/courier-imap/pop3d-ssl and /etc/courier-imap/imapd-ssl, (and)

b) look for the variable TLS_PROTOCOL and verify that TLS_PROTOCOL=TLSv1+

and that should suffice.

If you still have any problems, just have a look the variable TLS_CIPHER_LIST and report the cipher suite that is used over there.

Regards.....

 

[PriyanA]

Thank you for your reply @trialotto

At the moment what worries me is not been able to browse any of HTTPS contains on my Android Phone(Android v4.4.4) with its default browser.

I tried,

ssl_ciphers                      EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;

Still not working.

How can I troubleshoot this issue?

It was working before and as I remember DH Key was enable on the server. not sure what really happened. I'm sure i was able to browse HTTPS contain after enabling HTTP2

with

/usr/local/psa/bin/http2_pref enable

 

[trialotto]

@PriyanA

Try the following

TLS_CIPHER_LIST="ECDH+AESGCMH+AESGCM:ECDH+AES256H+AES256:ECDH+AES128H+AES:ECDH+3DESH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"

as per KB123160.

Just let me know, I will take you through a number of steps to establish the root cause of the problem.

Please note that it is in the nightly hours over here, so I can only respond tomorrow (evening), when I again spend some time on the forum.

Regards....

 

[PriyanA]

Thank you very much! @trialotto

It seems ONLY TLS1.2 enabled on the server.

I'm trying to enable TLS1 TSL1.1 and TSL1.2

 

[PriyanA]

Ok! its seems like that was the ISSUE!

Now its working.

Thank you @trialotto

 

[PriyanA]

@danami If you have noticed, TLS 1.0 and TLS 1.1 are not Active.

 

[Ankebut]

try this one is better

ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

after you generate dhparam with this cmd:

ssl_dhparam /etc/ssl/certs/dhparam.pem;

then add this too in the ssl.conf

ssl_dhparam /etc/ssl/certs/dhparam.pem;

showing finaly so after dhparam

ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

 

[PriyanA]

on update 12.5.30 Update #30 They have fixed this issue.

 

[Ankebut]

Can anyone post me the new inside from ssl_cliphers after update please

 

[IgorG]

Can anyone post me the new inside from ssl_cliphers after update please

# cat /etc/nginx/conf.d/ssl.conf
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

 

[Ankebut]

Thx

 

[Ankebut]

I get now A+