I'm new to nginx and I just recently decided to make a change to the config file to redirect my applications from http to https using the return statement return 301 https://$host$request_uri;. This all worked fine until I noticed that we weren't receiving text messages via Twilio API. I decided to debug the issue and found that I was receiving an SSL/TLS Handshake Error.
Looking into the debugger I saw that they gave this as the possible cause of the issue:
Incompatible cipher suites in use by the client and the server. This would require the client to use (or enable) a cipher suite that is supported by the server.
Looking at the nginx config file, I noticed that there are no ciphers being used, which is probably the root of the problem and not because TLS isn't enabled looking at the config below:
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name localhost;
ssl_certificate "/etc/nginx/ssl/domain-crt.txt";
ssl_certificate_key "/etc/nginx/ssl/domain-key.txt";
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
## More configuration below this...
}
Twilio has a list of supported ciphers which can be found here, but I'm not sure how to do this within my config file. Am I supposed to use all of them since my protocols include TLSv1, TLSv1.1, and TLS1.2? Or do I only use one of those in the list. I'm really confused as to what I need to have set in my ssl_ciphers variable.
Also I read that having SSLv3 enabled in ssl_protocols is a bad idea. Can I just remove that from the ssl_protocols and save the config without it causing major issues?
If anyone could help me answer these questions, that would be very helpful. Thank You!
Ciphers are being used by default and Nginx configure it by the version.
In version 1.0.5 and later, the default SSL ciphers are HIGH:!aNULL:!MD5. In versions 0.7.65 and 0.8.20 and later, the default SSL ciphers are HIGH:!ADH:!MD5. From version 0.8.19 the default SSL ciphers are ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM. From version 0.7.64, 0.8.18 and earlier the default SSL ciphers are ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP. See Nginx Docs for more information.
But you can also be explicit and choose the cipher you want to allow using: ssl_ciphers "cipher1 cipher2 ... cipherN"; For example - ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256"; to support only this specific ciphersuite. Regarding:
Also I read that having SSLv3 enabled in ssl_protocols is a bad idea. Can I just remove that from the ssl_protocols and save the config without it causing major issues?
The only major issue that it can cause is that a client using SSLv3 trying to connect your server will get rejected since it is not acceptable by your server (not supported by the config file). In any case it's Nginx default in some versions and shouldn't be the problem.
From Nginx Docs:
From versions 0.7.65 and 0.8.19 and later, the default SSL protocols are SSLv3, TLSv1, TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).