Question

How to add a new cipher to Nginx?

Posted October 23, 2019 935 views
NginxLoad Balancing

Hi:

I’ve been trying to setup LB for my app for a while now. I made some progress but now I’m hitting this problem:

When I try to perform a request to my server through the LB I get this:

SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
ALPN, server did not agree to a protocol 

Which turns into a 400 error:

<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.16.1</center>
</body>
</html>

I noticed the ssl configuration on the server does not include ECDHE-RSA-CHACHA20-POLY1305, it reads:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

How can I add a new cipher? Thanks

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers

Hello, @maurochojrin

Can you confirm if http2 is supported on your server? Can you check if your hostname/domain has http2 configured and that ALPN is supported?

You can use this site to check:

https://tools.keycdn.com/http2-test

Enter your domain with https://

If everything is fine you will see:

HTTP/2 protocol is supported.
ALPN extension is supported.

Let me know how it goes.

Thanks for that! I finally fixed it by forwarding por 443 on the LB to 443 on the droplet.

I was using 443 -> 80 (Through SSL termination).

I’m a little confused by why this worked though :p

Shouldn’t communication between LB and backends be plain text? Isn’t that what SSL Termination stands for?

Submit an Answer