openssl 1.0.1 and tls1.1 and up

Hello

I`m struggling with enabling tls1.1 and tls1.2. Some info:

NGINX:

# nginx -V
nginx version: nginx/1.5.13
built by gcc 4.8.1 (Ubuntu/Linaro 4.8.1-10ubuntu9) 
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx/1.5.13
--conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log
--http-client-body-temp-path=/var/lib/nginx/body
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi
--http-log-path=/var/log/nginx/access.log
--http-proxy-temp-path=/var/lib/nginx/proxy
--http-scgi-temp-path=/var/lib/nginx/scgi
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock
--pid-path=/run/nginx.pid --with-pcre-jit --with-debug
--with-http_addition_module --with-http_auth_request_module
--with-http_dav_module --with-http_geoip_module
--with-http_gzip_static_module --with-http_image_filter_module
--with-http_realip_module --with-http_spdy_module --with-http_ssl_module
--with-http_stub_status_module --with-http_sub_module
--with-http_xslt_module --with-ipv6
--add-module=/usr/src/nginx-modules/nginx-openssl-version
--add-module=/usr/src/nginx-modules/testcookie-nginx-module
--with-pcre=/usr/src/nginx-modules/pcre-8.35
--with-openssl=/usr/src/nginx-modules/openssl-1.0.1g

SSL settings:

ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
add_header Strict-Transport-Security "max-age=31536000;
includeSubdomains;";

https://www.ssllabs.com/ssltest/ results:

Protocols
TLS 1.2     No  
TLS 1.1     No
TLS 1.0     Yes
SSL 3   Yes
SSL 2   No

Any hint ?

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,249305,249305#msg-249305

I have an nginx 1.5 install where I don't set the ssl_protocols, because,
the defaults are fine:
---> "Since versions 1.1.13 and 1.0.12, nginx uses ?ssl_protocols SSLv3
TLSv1 TLSv1.1 TLSv1.2? by default."

This is what I have find to be the best for ciphers, SSLLABS seems to like
it, I would even set !RC4, but we need to still support it in this specific
server.

        # ciphers
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM
EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK
!SRP !DSS";

On Tue, Apr 15, 2014 at 1:31 PM, Nemesiz <nginx-forum at nginx.us> wrote:

> Hello
>
> I`m struggling with enabling tls1.1 and tls1.2. Some info:
>
> NGINX:
>
> # nginx -V
> nginx version: nginx/1.5.13
> built by gcc 4.8.1 (Ubuntu/Linaro 4.8.1-10ubuntu9)
> TLS SNI support enabled
> configure arguments: --prefix=/usr/local/nginx/1.5.13
> --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log
> --http-client-body-temp-path=/var/lib/nginx/body
> --http-fastcgi-temp-path=/var/lib/nginx/fastcgi
> --http-log-path=/var/log/nginx/access.log
> --http-proxy-temp-path=/var/lib/nginx/proxy
> --http-scgi-temp-path=/var/lib/nginx/scgi
> --http-uwsgi-temp-path=/var/lib/nginx/uwsgi
> --lock-path=/var/lock/nginx.lock
> --pid-path=/run/nginx.pid --with-pcre-jit --with-debug
> --with-http_addition_module --with-http_auth_request_module
> --with-http_dav_module --with-http_geoip_module
> --with-http_gzip_static_module --with-http_image_filter_module
> --with-http_realip_module --with-http_spdy_module --with-http_ssl_module
> --with-http_stub_status_module --with-http_sub_module
> --with-http_xslt_module --with-ipv6
> --add-module=/usr/src/nginx-modules/nginx-openssl-version
> --add-module=/usr/src/nginx-modules/testcookie-nginx-module
> --with-pcre=/usr/src/nginx-modules/pcre-8.35
> --with-openssl=/usr/src/nginx-modules/openssl-1.0.1g
>
> SSL settings:
>
> ssl_session_cache shared:SSL:50m;
> ssl_session_timeout 5m;
> ssl_dhparam /etc/nginx/ssl/dhparam.pem;
> ssl_prefer_server_ciphers on;
> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
> ssl_ciphers
>
> 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
> add_header Strict-Transport-Security "max-age=31536000;
> includeSubdomains;";
>
>
> https://www.ssllabs.com/ssltest/ results:
>
> Protocols
> TLS 1.2         No
> TLS 1.1         No
> TLS 1.0         Yes
> SSL 3   Yes
> SSL 2   No
>
> Any hint ?
>
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,249305,249305#msg-249305
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20140415/18781b5f/attachment.html>

I should clarify the the default for ssl_protocols is fine, to my
environment since we need to support SSLv3, if you don't I suggest make it
safer:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

On Tue, Apr 15, 2014 at 2:31 PM, Miguel Clara <miguelmclara at gmail.com>wrote:

>
> I have an nginx 1.5 install where I don't set the ssl_protocols, because,
> the defaults are fine:
> ---> "Since versions 1.1.13 and 1.0.12, nginx uses ?ssl_protocols SSLv3
> TLSv1 TLSv1.1 TLSv1.2? by default."
>
>
> This is what I have find to be the best for ciphers, SSLLABS seems to like
> it, I would even set !RC4, but we need to still support it in this specific
> server.
>
>
>         # ciphers
>         ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM
> EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
> EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK
> !SRP !DSS";
>
>
>
>
>
>
>
> On Tue, Apr 15, 2014 at 1:31 PM, Nemesiz <nginx-forum at nginx.us> wrote:
>
>> Hello
>>
>> I`m struggling with enabling tls1.1 and tls1.2. Some info:
>>
>> NGINX:
>>
>> # nginx -V
>> nginx version: nginx/1.5.13
>> built by gcc 4.8.1 (Ubuntu/Linaro 4.8.1-10ubuntu9)
>> TLS SNI support enabled
>> configure arguments: --prefix=/usr/local/nginx/1.5.13
>> --conf-path=/etc/nginx/nginx.conf
>> --error-log-path=/var/log/nginx/error.log
>> --http-client-body-temp-path=/var/lib/nginx/body
>> --http-fastcgi-temp-path=/var/lib/nginx/fastcgi
>> --http-log-path=/var/log/nginx/access.log
>> --http-proxy-temp-path=/var/lib/nginx/proxy
>> --http-scgi-temp-path=/var/lib/nginx/scgi
>> --http-uwsgi-temp-path=/var/lib/nginx/uwsgi
>> --lock-path=/var/lock/nginx.lock
>> --pid-path=/run/nginx.pid --with-pcre-jit --with-debug
>> --with-http_addition_module --with-http_auth_request_module
>> --with-http_dav_module --with-http_geoip_module
>> --with-http_gzip_static_module --with-http_image_filter_module
>> --with-http_realip_module --with-http_spdy_module --with-http_ssl_module
>> --with-http_stub_status_module --with-http_sub_module
>> --with-http_xslt_module --with-ipv6
>> --add-module=/usr/src/nginx-modules/nginx-openssl-version
>> --add-module=/usr/src/nginx-modules/testcookie-nginx-module
>> --with-pcre=/usr/src/nginx-modules/pcre-8.35
>> --with-openssl=/usr/src/nginx-modules/openssl-1.0.1g
>>
>> SSL settings:
>>
>> ssl_session_cache shared:SSL:50m;
>> ssl_session_timeout 5m;
>> ssl_dhparam /etc/nginx/ssl/dhparam.pem;
>> ssl_prefer_server_ciphers on;
>> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
>> ssl_ciphers
>>
>> 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
>> add_header Strict-Transport-Security "max-age=31536000;
>> includeSubdomains;";
>>
>>
>> https://www.ssllabs.com/ssltest/ results:
>>
>> Protocols
>> TLS 1.2         No
>> TLS 1.1         No
>> TLS 1.0         Yes
>> SSL 3   Yes
>> SSL 2   No
>>
>> Any hint ?
>>
>> Posted at Nginx Forum:
>> http://forum.nginx.org/read.php?2,249305,249305#msg-249305
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20140415/57841be0/attachment.html>

hi, 

what is your os (name and version)?

where do you have the ciphers from bwt?

i'd suggest you test the tls-version yourself with testssl.sh
https://bitbucket.org/nginx-goodies/testssl.sh
(note: you need a current openssl-version on the machine you test
from)

regards, 

mex

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,249305,249315#msg-249315

Strange things are happening.

nginx:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Results:

ssllabs.com:
TLS 1.2     No  
TLS 1.1     No
TLS 1.0     Yes
SSL 3   Yes
SSL 2   No

testssl.sh:

SSLv2     NOT offered (ok)
SSLv3     offered 
TLSv1     offered (ok) 
TLSv1.1   not offered
TLSv1.2   not offered

Looks like i can`t disable sslv3

OS: Ubuntu sancy
SSL Certificate: StartCom Ltd.

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,249305,249329#msg-249329

Hello!

On Wed, Apr 16, 2014 at 06:35:43AM -0400, Nemesiz wrote:

> Strange things are happening.
> 
> nginx:
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> 
> Results:
> 
> ssllabs.com:
> TLS 1.2   No  
> TLS 1.1   No
> TLS 1.0   Yes
> SSL 3     Yes
> SSL 2     No
> 
> testssl.sh:
> 
> SSLv2     NOT offered (ok)
> SSLv3     offered 
> TLSv1     offered (ok) 
> TLSv1.1   not offered
> TLSv1.2   not offered
> 
> Looks like i can`t disable sslv3

It looks like you are testing something different, not nginx you 
are trying to configure.  Check what is actually listening on the 
ip:port you are testing.

-- 
Maxim Dounin
http://nginx.org/

Maxim Dounin Wrote:
-------------------------------------------------------

> It looks like you are testing something different, not nginx you 
> are trying to configure.  Check what is actually listening on the 
> ip:port you are testing.

testssl.sh:
--> Testing HTTP Header response 

 HSTS        365 days (31536000 s)
 Server      nginx/1.5.13
 Application (None)

ssllabs.com:
HTTP server signature   nginx/1.5.13

# netstat -tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State   
   PID/Program name
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN  
   17535/redis-server
tcp        0      0 0.0.0.0:1003            0.0.0.0:*               LISTEN  
   19379/sshd      
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN  
   10632/nginx     
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN  
   17584/unicorn.rb -E
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN  
   19379/sshd      
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN  
   733/exim4       
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN  
   10632/nginx     
tcp6       0      0 :::1003                 :::*                    LISTEN  
   19379/sshd      
tcp6       0      0 :::22                   :::*                    LISTEN  
   19379/sshd      
tcp6       0      0 :::25                   :::*                    LISTEN  
   733/exim4

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,249305,249333#msg-249333

Rather than posting raw outputs, try to understand the piece orf advice
Maxim gave to you.

I suspect those SSL-validation websites test websites... which correspond
to a certain standard port.
I see a problem, don't you ?
---
*B. R.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20140416/71b1b26f/attachment.html>

I think the problem is your nginx uses libssl version from your OS
(0.9.8/1.0.0).

On Wed, Apr 16, 2014 at 4:08 PM, B.R. <reallfqq-nginx at yahoo.fr> wrote:

> Rather than posting raw outputs, try to understand the piece orf advice
> Maxim gave to you.
>
> I suspect those SSL-validation websites test websites... which correspond
> to a certain standard port.
> I see a problem, don't you ?
> ---
> *B. R.*
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20140416/e70b5dbb/attachment.html>

I recompiled with default openssl lib (1.0.1e-3ubuntu1.2)

Default install path:

# nginx -V
nginx version: nginx/1.5.13
built by gcc 4.8.1 (Ubuntu/Linaro 4.8.1-10ubuntu9) 
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx/1.5.13
--conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log
--http-client-body-temp-path=/var/lib/nginx/body
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi
--http-log-path=/var/log/nginx/access.log
--http-proxy-temp-path=/var/lib/nginx/proxy
--http-scgi-temp-path=/var/lib/nginx/scgi
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock
--pid-path=/run/nginx.pid --with-pcre-jit --with-debug
--with-http_ssl_module
--add-module=/usr/src/nginx-modules/nginx-openssl-version
--with-pcre=/usr/src/nginx-modules/pcre-8.35

nginx clone to /root/test

# ./nginx -V
nginx version: nginx/1.5.13
built by gcc 4.8.1 (Ubuntu/Linaro 4.8.1-10ubuntu9) 
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx/1.5.13
--conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log
--http-client-body-temp-path=/var/lib/nginx/body
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi
--http-log-path=/var/log/nginx/access.log
--http-proxy-temp-path=/var/lib/nginx/proxy
--http-scgi-temp-path=/var/lib/nginx/scgi
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock
--pid-path=/run/nginx.pid --with-pcre-jit --with-debug
--with-http_ssl_module
--add-module=/usr/src/nginx-modules/nginx-openssl-version
--with-pcre=/usr/src/nginx-modules/pcre-8.35

The same settings but default nginx runs on 80 and 443 port. Cloned nginx
runs on 81 nad 443

default nginx on port 443:
--> Testing Protocols

 SSLv2     NOT offered (ok) 
 SSLv3     offered 
 TLSv1     offered (ok) 
 TLSv1.1   not offered
 TLSv1.2   not offered

 SPDY/NPN   http/1.1 (advertised)

cloned nginx on port 444:
--> Testing Protocols

 SSLv2     NOT offered (ok) 
 SSLv3     NOT offered (ok) 
 TLSv1     offered (ok) 
 TLSv1.1   offered (ok) 
 TLSv1.2   offered (ok)

# ldd /usr/local/nginx/1.5.13/sbin/nginx  
    linux-vdso.so.1 =>  (0x00007fff623fe000)
    libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f6e46143000)
    libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f6e45f0a000)
    libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x00007f6e45cab000)
    libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
(0x00007f6e458cf000)
    libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f6e456b6000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6e452ed000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f6e4636c000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f6e450e9000)

# ldd /root/test/nginx
    linux-vdso.so.1 =>  (0x00007fffe478f000)
    libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f6dcdfc5000)
    libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f6dcdd8c000)
    libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x00007f6dcdb2d000)
    libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
(0x00007f6dcd751000)
    libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f6dcd538000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6dcd16f000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f6dce1ee000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f6dccf6b000)

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,249305,249339#msg-249339

Check that you have run the same nginx, that you are trying to configure.

 $ ps -fC nginx

  wbr, Valentin V. Bartenev

I found where the problems was. I thought ssl options can be different in
virtual host. Default server settings was not overwritten.

server {
    include conf/default-settings;

    root /var/www;
    server_name "";

    ssl on;
    ssl_certificate ssl/nmz_ssl.crt;
    ssl_certificate_key ssl/nmz_ssl.key;

    ssl_session_timeout 5m;

    ssl_protocols SSLv3 TLSv1;
    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
    ssl_prefer_server_ciphers on;

    location / {
        try_files $uri $uri/ =404;
    }

    location /smokeping/ {
        proxy_pass http://10.10.10.2/smokeping/;
    }
}

Others servers:
server {
    include conf/default-site-ssl;
    include conf/default-settings;
    ssl_certificate /etc/nginx/ssl/host.pem;
    ssl_certificate_key /etc/nginx/ssl/host.key;
....

conf/default-site-ssl :

listen 443 ssl;
ssl on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
add_header Strict-Transport-Security "max-age=31536000;
includeSubdomains;";

nginx -t did not show any error.

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols

So some ssl options cannot be overwritten ?

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,249305,249341#msg-249341