I would like to enable the SSL cipher EDH-DSS-DES-CBC3-SHA (also known as TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA) in my nginx SSL environment to support IE8 on Windows XP.
The base SSL ciphers for nginx are:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
EDH-DSS-DES-CBC3-SHA is disabled via !DES. I tried to put that cipher in front of the disable rules (between DHE-RSA-AES256-SHA and !aNULL) and after (as the very last argument) but neither worked.
How to enable cipher EDH-DSS-DES-CBC3-SHA without enabling all DES or manually disabling other DES ciphers?
Version information: nginx 1.7.8, OpenSSL 1.0.1e
Replace "!3DES" with "-3DES" and add your 3DES cipher suite ID afterwards
You've got this base string:
And on my
OpenSSL 1.0.2d 9 Jul 2015this leads to these 22 cipher suites:You can explicitly throw cipher suites out of your resultant set in two ways:
!-Once you've used
!to throw out a cipher suite set you can not re-add them. This is what you did with!3DES.Here's a set that contains the additional suite you wanted:
I've replaced the end of the cipher string from
with
This now gives 23 cipher suites: