nginx ciphers are way over my head but after running a SSL Labs test I got an A but noticed IE 11 / Win 8.1 and similar were failing to negotiate a handshake. I fired up Browser Stack, started a Windows 8.1 VM and opened IE11 and tried accessing my site. Sure enough the server couldn't connect.
I ran WordOps.net through the SSL Labs test and noticed it wasn't experiencing any problems. So I started doing some digging. I stumbled across https://dawnbringer.net/blog/1083/TLS_All_The_Things!_Perfect_ssl-labs_score_for_Nginx and took notice of their cipher suites for nginx:
# Cipher Support-block
# Support for most browsers and systems but including some CBC-weak ciphers
# openssl ciphers 'EECDH+AESGCM:EDH+AESGCM:!DH:!RSA:!AES128'
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS_AES_256_GCM_SHA384:TLS-AES-256-GCM-SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA;
# Use this for non-CBC (no "weak" ciphers)
#ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS_AES_256_GCM_SHA384:TLS-AES-256-GCM-SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
# openssl ciphers 'EECDH+AESGCM:EDH+AESGCM:!DHE:!AES128'
#ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
The ssl_ciphers
configured on my server was the default from WordOps which is ssl_ciphers 'TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:EECDH+AESGCM:EECDH+CHACHA20';
from https://github.com/WordOps/WordOps/blob/01ee8c0a13b19dede9c6931fe15cc72596dc4275/wo/cli/templates/nginx-core.mustache#L62
After updating the ssl_ciphers
value I re ran the SSL labs test and got an A+ and it showed IE11 on Windows 7 and Windows 8.1 could negotiate a handshake and connect.
I just wanted to mention this for others in case they needed to support older operating systems + browser combinations to ensure a broad range of support for their sites.