I have a node app hosted in AWS ec2 and installed letsencrypt certificates. When I am trying to access the API, it is giving error
Connection - obsolete connection settings The connection to this site is encrypted and authenticated using TLS 1.0, ECDHE_RSA, and AES_256_CBC with HMAC-SHA1. TLS 1.0 is obsolete. Enable TLS 1.2 or later. AES_256_CBC is obsolete. Enable an AES-GCM-based cipher suite.
SSL Certificates shows correctly from letsencrypt
I have infact set TLS 1.2 AES-GCM-based cipher in config file. my nginx version is
nginx version: nginx/1.16.1 OpenSSL 1.0.2k-fips 26 Jan 2017
Any pointers?
here is my nginx.conf file snippet
http { include /etc/nginx/mime.types; default_type application/octet-stream; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; server { listen 80; listen 443 ssl; server_name localhost; root /usr/share/nginx/html; ssl_certificate /opt/ssl/cacert.pem; ssl_certificate_key /opt/ssl/privkey.pem; ssl_session_timeout 5m; ssl_protocols SSLv2 TLSv1.2 TLSv1.1 TLSv1; #ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; #charset koi8-r; } server { listen 443 ssl http2; server_name aws.qureme.co.in; root /usr/share/nginx/html; ssl_certificate /etc/letsencrypt/live/ ssl_certificate_key /etc/letsencrypt/live/ ssl_session_timeout 5m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; ssl_ecdh_curve secp384r1; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8; } }
61 Answer
The problem was when I set a different protocol and ciphers for 2 server Block( one for IP Address and another phone for domain name.
THANKS A LOT FOR STEFFEN ULLRICH for the input. Here is the modifed spec
server { listen 80; listen 443 ssl; server_name localhost; root /usr/share/nginx/html; ssl_certificate /opt/ssl/cacert.pem; ssl_certificate_key /opt/ssl/privkey.pem; ssl_session_timeout 5m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1 TLSv1.3; ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; ssl_prefer_server_ciphers on; } server { listen 443 ssl http2; server_name aws.qureme.co.in; root /usr/share/nginx/html; ssl_certificate /etc/letsencrypt/live/ ssl_certificate_key /etc/letsencrypt/live/ ssl_session_timeout 5m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; }