devad
July 17, 2018, 6:52am
1
Hi,
I have a problem with a specific domain and when I put the Let’s encrypt certificate ON. I can reach the website in Safari but not on chrome. The following message appear: ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY.
My domain is: https://wimcon.se/
I ran this command: sudo ee site update www.wimcon.se --letsencrypt=on
It produced this output: ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY
My web server is (include version): Ubuntu 16.04 LTS Linux, Ngnx.
The operating system my web server runs on is (include version): Linux
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Wordpress
Thanks!
_az
July 17, 2018, 7:01am
2
https://tools.ietf.org/html/rfc7540#appendix-A
Check your nginx configuration for ciphersuites (ssl_ciphers) from that list, and remove them. Specifically your srever seems to advertise support for:
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
If your nginx is not configured with any ciphersuites, use https://mozilla.github.io/server-side-tls/ssl-config-generator/ to configure them.
Edit: The nginx versions of those ciphers are:
AES256-GCM-SHA384
AES128-SHA
so look for those.
devad
July 17, 2018, 7:08am
3
Thanks for a quick reply. Which command should I use to configure the ciphersuites?
_az
July 17, 2018, 7:09am
4
What’s this show:
sudo grep -R -A1 -B1 -i "ssl_ciphers" /etc/nginx/
devad
July 17, 2018, 7:13am
5
Thanks again: is get my the following:
/etc/nginx/nginx.conf- ssl_prefer_server_ciphers on;
/etc/nginx/sites-available/default- # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
/etc/nginx/sites-enabled/default- # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
_az
July 17, 2018, 7:16am
6
Replace that line with
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
then restart nginx.
devad
July 17, 2018, 7:18am
7
Which command should I use to replace the line?
_az
July 17, 2018, 7:25am
8
Use a text editor. If you don’t know how to use a text editor, then you can try this all-in-one:
sed -i 's/ssl_ciphers E.*/ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:\!DSS";/' /etc/nginx/nginx.conf
but I can’t guarantee it’ll do exactly the right thing to your files.
devad
July 17, 2018, 7:28am
9
I can use a text editor. But where should I replace the line? I use terminal and I can’t change anything without a config command?
_az
July 17, 2018, 7:33am
10
Open /etc/nginx/nginx.conf in a text editor, find the existing line that starts with ssl_ciphers E…, replace it with line I suggested, save the file.
_az
July 17, 2018, 7:40am
12
Whatever you want. There are terminal-based text editors like nano and vi, which is what most people do, but FTP is a fine method too.
devad
July 17, 2018, 8:24am
13
I have edited the file now:
/etc/nginx/nginx.conf- ssl_prefer_server_ciphers on;
/etc/nginx/sites-available/default- # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
/etc/nginx/sites-enabled/default- # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
But it still now working. Can have anything with this: https://www.ssllabs.com/ssltest/analyze.html?d=www.wimcon.se
_az
July 17, 2018, 8:37am
14
Did you remember to restart nginx after modifying the file?
Not only Chrome, Firefox also doesn't allow a visit. IE11 and Edge are showing the page and accepts the weak Cipher Suites.
Good to know, thanks for this information.
devad
July 17, 2018, 9:24am
16
Voila! Now it works. Can I use the ciphers on all servers or is this unique for just this domain? I have the same setup on other servers.
Thanks so much for your patience and help!
1 Like
Cipher Suites are universal. You can use the same set everywhere.
But now you have some mixed content warnings to fix. FireFox or Chrome, Ctrl + Shift + i, then select the console.
There are addresses like
http://www.wimcon.se/wp-content/uploads/2018/ ...
you should change these to https
devad
July 17, 2018, 9:31am
18
Yes. I now. I will fix those. Thanks for the heads up anyway!
devad
July 17, 2018, 11:55am
19
One last question. Can you delete those Cipher Suites that are weak? See attached image.
Thanks again!
_az
July 17, 2018, 12:14pm
20
You may have been looking at cached test results. Your domain's results look more like this:
The weak ciphersuites are actually not a problem, as long as they're at the bottom of the list. If you want to get rid of them, you can find what the OpenSSL names of the weak cipersuites from Qualys SSL Labs test relate to on https://www.openssl.org/docs/man1.0.2/apps/ciphers.html , and then remove them from your string. However, it's not a great idea if you don't know what you're doing and not really necessary.
You can also use the "modern" nginx configuration from Redirecting to ssl-config.mozilla.org... , which will have less "weak" ciphersuites. But this will reduce compatibility with older devices and operating systems.
