I've been working on get HTTP2 support running on an Nginx server for some time now. At this point I'm stuck at selecting ciphers to support. Hopefully you can help me understand this.
Before I started with getting HTTP2 to work, I made it a hobby to get the best possible scores in SSLlabs while maintaining support for the majority of browsers. Thus, I only supported 256 bit ciphers and didn't list any 128 bit ciphers.
Since enabling HTTP2, I lost support for Firefox on Windows (and probably other browsers/platforms as well). Note that I'm fine having lost support for Java, XP and Android 2.3 according to the SSLlabs browser simulations, as this is a private server.
According to SSLlabs, Firefox version 45 and 46 on Windows fail to connect to the server. The message shown is: Server negotiated HTTP/2 with blacklisted suite. According to the results, these versions of Firefox will have selected the cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
.
A quick search led me to this topic on ServerFault that explained that the RFC specifies a blacklist of ciphers.
This is the cipher list I had configured:
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:kEDH+AESGCM:CAMELLIA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!CAMELLIA+RSA:!AES128:@STRENGTH;
I'm led to believe that TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
is stronger than TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(which is used by Firefox in my current configuration), as it has a higher preference for Nginx if I add @STRENGTH
to the ssl_ciphers directive. Still, the first one is listed in the black list and the second one isn't.
I'm aware that there are already some topics here about what ciphers should be chosed to get the best support. However, with this post I'm trying to better understand why some of the cipher suites listed above are blacklisted and several 128 bit ciphers aren't.