AnsweredAssumed Answered

server cipher order not being obeyed by browser?

Question asked by _ck_ on Sep 10, 2013
Latest reply on Sep 11, 2013 by Ivan Ristić

Perhaps I am misunderstanding how the sequence of events and decision is made but I have a browser, Firefox 23 under Windows XP that is not obeying the server prefered cipher order when that option is clearly set (in Nginx). Instead of picking c0,09 - the browser is using going to c0,07  or a lesser RC4 cipher. I still have to figure out exactly which RC4

 

server cipher order (trimmed)

c0,2b  ECDHE-ECDSA-AES128-GCM-SHA256

c0,2f  ECDHE-RSA-AES128-GCM-SHA256

c0,23  ECDHE-ECDSA-AES128-SHA256  

c0,27  ECDHE-RSA-AES128-SHA256

c0,09  ECDHE-ECDSA-AES128-SHA   <<<---

c0,07  ECDHE-ECDSA-RC4-SHA       

c0,11  ECDHE-RSA-RC4-SHA      

c0,02  ECDH-ECDSA-RC4-SHA   

c0,0c  ECDH-RSA-RC4-SHA      

c0,13  ECDHE-RSA-AES128-SHA

00,05  RC4-SHA  

 

browser cipher order (trimmed)

c0,07 ECDHE-ECDSA-RC4-SHA

c0,09 ECDHE-ECDSA-AES128-SHA     <<<---

c0,11 ECDHE-RSA-RC4-SHA

c0,13 ECDHE-RSA-AES128-SHA

00,33 DHE-RSA-AES128-SHA

00,32 DHE-DSS-AES128-SHA

c0,0c ECDH-RSA-RC4-SHA

c0,0e ECDH-RSA-AES128-SHA

c0,02 ECDH-ECDSA-RC4-SHA

c0,04 ECDH-ECDSA-AES128-SHA

00,05 RSA-RC4-SHA

00,04 RSA-RC4-MD5

00,2f RSA-AES128-SHA

 

 

ssl_prefer_server_ciphers is clearly on - what am I missing here? Why is RC4 used?

 

Thanks for any suggestions.

 

About to try using wireshark to figure out the exact RC4 cipher used since Firefox doesn't show that.

Outcomes