People, help pliz understand why the error. I bought a certificate for godaddy, and it works, but it knocks out a warning "The connection is encrypted using outdated cipher suites"

The connection is encrypted using legacy cipher suites

How can this be corrected? I use ngix as web server.

Config

server { listen 443; server_name example.com; root /home/wordpress/www; # путь к WP index index.php; ssl on; ssl_certificate /etc/nginx/ssl/example.com.com_combined.crt; ssl_certificate_key /etc/nginx/ssl/example.com.key; }

nginx -V

 nginx version: nginx/1.9.3 (Ubuntu) built with OpenSSL 1.0.2d 9 Jul 2015 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module

grep -rn ssl_ / etc / nginx

  /etc/nginx/snippets/snakeoil.conf:4:ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; /etc/nginx/snippets/snakeoil.conf:5:ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; /etc/nginx/nginx.conf:33: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE /etc/nginx/nginx.conf:34: ssl_prefer_server_ciphers on; Binary file /etc/nginx/sites-available/example.com matches
  • one
    add the nginx config to the question - nörbörnën
  • Added config. - dimaua
  • clear then show nginx -V - nörbörnën
  • added nginx -V - dimaua
  • the default settings are needed, the version is greater than 1.9.1, so it’s strange. Wanging either the presence of settings where you are not looking for them (I ask for grep -rn ssl_ /etc/nginx ), or you need to update nginx and openssl, or the problem is in other software. I invite you to make a grep, upgrade, restart and see. if there are no changes, then configure the sl_protokols and sl_shifers as here at the very beginning of nginx.org/ru/docs/http/configuring_https_servers.html and look further - nörbörnën

1 answer 1

The answer to the discussion: comment out lines 33-34 in /etc/nginx/nginx.conf .

Also, in the nginx documentation instead of ssl on; recommend using listen 443 ssl;

I also wanted to say that Let's Encrypt went out of the invite mode, so that the space ships plow open spaces, and obtaining certificates has ceased to be a synonym for purchase.