Perhaps I am misunderstanding how the sequence of events and decision is made but I have a browser, Firefox 23 under Windows XP that is not obeying the server prefered cipher order when that option is clearly set (in Nginx). Instead of picking c0,09 - the browser is using going to c0,07 or a lesser RC4 cipher. I still have to figure out exactly which RC4

**server cipher order (trimmed)**

c0,2b ECDHE-ECDSA-AES128-GCM-SHA256

c0,2f ECDHE-RSA-AES128-GCM-SHA256

c0,23 ECDHE-ECDSA-AES128-SHA256

c0,27 ECDHE-RSA-AES128-SHA256

c0,09 ECDHE-ECDSA-AES128-SHA <<<---

c0,07 ECDHE-ECDSA-RC4-SHA

c0,11 ECDHE-RSA-RC4-SHA

c0,02 ECDH-ECDSA-RC4-SHA

c0,0c ECDH-RSA-RC4-SHA

c0,13 ECDHE-RSA-AES128-SHA

00,05 RC4-SHA

**browser cipher order (trimmed)**

c0,07 ECDHE-ECDSA-RC4-SHA

c0,09 ECDHE-ECDSA-AES128-SHA <<<---

c0,11 ECDHE-RSA-RC4-SHA

c0,13 ECDHE-RSA-AES128-SHA

00,33 DHE-RSA-AES128-SHA

00,32 DHE-DSS-AES128-SHA

c0,0c ECDH-RSA-RC4-SHA

c0,0e ECDH-RSA-AES128-SHA

c0,02 ECDH-ECDSA-RC4-SHA

c0,04 ECDH-ECDSA-AES128-SHA

00,05 RSA-RC4-SHA

00,04 RSA-RC4-MD5

00,2f RSA-AES128-SHA

**ssl_prefer_server_ciphers **is clearly on - what am I missing here? Why is RC4 used?

Thanks for any suggestions.

About to try using wireshark to figure out the exact RC4 cipher used since Firefox doesn't show that.

The problem is that ECDHE-ECDSA-AES128-SHA works only with a ECDSA key, which you probably don't have. Looking at enabled cipher suites using OpenSSL can be deceptive. I suggest that you examine your server with the SSL Labs test. That will tell you what is really enabled.