I have a node app hosted in AWS ec2 and installed letsencrypt certificates. When I am trying to access the API, it is giving error

Connection - obsolete connection settings The connection to this site is encrypted and authenticated using TLS 1.0, ECDHE_RSA, and AES_256_CBC with HMAC-SHA1. TLS 1.0 is obsolete. Enable TLS 1.2 or later. AES_256_CBC is obsolete. Enable an AES-GCM-based cipher suite.

SSL Certificates shows correctly from letsencrypt

I have infact set TLS 1.2 AES-GCM-based cipher in config file. my nginx version is

nginx version: nginx/1.16.1 OpenSSL 1.0.2k-fips 26 Jan 2017

Any pointers?

here is my nginx.conf file snippet

http { include /etc/nginx/mime.types; default_type application/octet-stream; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; server { listen 80; listen 443 ssl; server_name localhost; root /usr/share/nginx/html; ssl_certificate /opt/ssl/cacert.pem; ssl_certificate_key /opt/ssl/privkey.pem; ssl_session_timeout 5m; ssl_protocols SSLv2 TLSv1.2 TLSv1.1 TLSv1; #ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; #charset koi8-r; } server { listen 443 ssl http2; server_name aws.qureme.co.in; root /usr/share/nginx/html; ssl_certificate /etc/letsencrypt/live/ ssl_certificate_key /etc/letsencrypt/live/ ssl_session_timeout 5m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; ssl_ecdh_curve secp384r1; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8; } 

}

6

1 Answer

The problem was when I set a different protocol and ciphers for 2 server Block( one for IP Address and another phone for domain name.

THANKS A LOT FOR STEFFEN ULLRICH for the input. Here is the modifed spec

server { listen 80; listen 443 ssl; server_name localhost; root /usr/share/nginx/html; ssl_certificate /opt/ssl/cacert.pem; ssl_certificate_key /opt/ssl/privkey.pem; ssl_session_timeout 5m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1 TLSv1.3; ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; ssl_prefer_server_ciphers on; } server { listen 443 ssl http2; server_name aws.qureme.co.in; root /usr/share/nginx/html; ssl_certificate /etc/letsencrypt/live/ ssl_certificate_key /etc/letsencrypt/live/ ssl_session_timeout 5m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; } 

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy