Question

How to add a new cipher to Nginx?

Hi:

I’ve been trying to setup LB for my app for a while now. I made some progress but now I’m hitting this problem:

When I try to perform a request to my server through the LB I get this:

SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
ALPN, server did not agree to a protocol 

Which turns into a 400 error:

<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.16.1</center>
</body>
</html>

I noticed the ssl configuration on the server does not include ECDHE-RSA-CHACHA20-POLY1305, it reads:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

How can I add a new cipher? Thanks

Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Thanks for that! I finally fixed it by forwarding por 443 on the LB to 443 on the droplet.

I was using 443 -> 80 (Through SSL termination).

I’m a little confused by why this worked though :p

Shouldn’t communication between LB and backends be plain text? Isn’t that what SSL Termination stands for?

Hello, @maurochojrin

Can you confirm if http2 is supported on your server? Can you check if your hostname/domain has http2 configured and that ALPN is supported?

You can use this site to check:

https://tools.keycdn.com/http2-test

Enter your domain with https://

If everything is fine you will see:

HTTP/2 protocol is supported. ALPN extension is supported.

Let me know how it goes.