Broader SSL Cipher Compatability?

kingkool68 · Feb 28, 2020

nginx ciphers are way over my head but after running a SSL Labs test I got an A but noticed IE 11 / Win 8.1 and similar were failing to negotiate a handshake. I fired up Browser Stack, started a Windows 8.1 VM and opened IE11 and tried accessing my site. Sure enough the server couldn't connect.

I ran WordOps.net through the SSL Labs test and noticed it wasn't experiencing any problems. So I started doing some digging. I stumbled across https://dawnbringer.net/blog/1083/TLS_All_The_Things!_Perfect_ssl-labs_score_for_Nginx and took notice of their cipher suites for nginx:

# Cipher Support-block
    # Support for most browsers and systems but including some CBC-weak ciphers
    # openssl ciphers  'EECDH+AESGCM:EDH+AESGCM:!DH:!RSA:!AES128'
    ssl_ciphers                TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS_AES_256_GCM_SHA384:TLS-AES-256-GCM-SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA;

    # Use this for non-CBC (no "weak" ciphers)
    #ssl_ciphers               TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS_AES_256_GCM_SHA384:TLS-AES-256-GCM-SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;

    # openssl ciphers  'EECDH+AESGCM:EDH+AESGCM:!DHE:!AES128'
    #ssl_ciphers               TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384

The ssl_ciphers configured on my server was the default from WordOps which is ssl_ciphers 'TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:EECDH+AESGCM:EECDH+CHACHA20'; from https://github.com/WordOps/WordOps/blob/01ee8c0a13b19dede9c6931fe15cc72596dc4275/wo/cli/templates/nginx-core.mustache#L62

After updating the ssl_ciphers value I re ran the SSL labs test and got an A+ and it showed IE11 on Windows 7 and Windows 8.1 could negotiate a handshake and connect.

I just wanted to mention this for others in case they needed to support older operating systems + browser combinations to ensure a broad range of support for their sites.

kingkool68 · Feb 28, 2020

Here's my test results (A+) to for anyone interested https://www.ssllabs.com/ssltest/analyze.html?d=zadieheimlich.com

vasiler · Feb 28, 2020

So now you use ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS_AES_256_GCM_SHA384:TLS-AES-256-GCM-SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA;?