[boring-nginx] Configuring SSL_params

[helangen]

Thanks for a great image.

I can't get NextCloud to work for my browser at work. We run IE 11 on Win 7 Enterprise. I thought it had something to do with only TLSv1.2 being enabled and added support for previous versions (TLSv1 TLS1.1 SSLv2) in the /etc/nginx/ssl_params file. Restarting the reverse proxy though it does not seem that it reads it properly. SSL Labs still says TLSv1.2 only so I assume the new ssl_params file was not read properly. The error I get is SSL handshake failure. I also tried to comment out the file and add the parameters directly to the nextcloud.conf in sites-enabled directory.

I use 3 volumes; sites-enable, certs and conf.d in the Docker container boring-nginx.

Any ideas ?

Cheers

[hoellen]

On IE11 TLS 1.2 is enabled by default: Microsoft IE11 Changelog Maybe it's another problem? Which error message you get at work? And maybe your results on SSL Labs are cached?

[helangen]

I can try another browser just to be sure and then change the parameters in nextcloud.conf again.

So changed the browser:

1. SSL Labs gives me "Protocols TLS v1.2 YES, rest is no
2. SSL_protocols SSLv2 TLSv1 TLSv1.1 set in nextcloud.conf in /sited-enabled in the NC container. Reloaded with nginx -s reload 3.SSL_protocols TLSv1.2 set in ssl_params in /etc/nginx/conf in the boring-nginx container. Reloaded with nginx -s reload.
3. Clear cache and re-ran SSL Labs. Still the same. Under "Handshake Simulation" I get IE 11 / Win 7 R Server sent fatal alert: handshake_failure.

Is this the correct way of doing it ? I dont have access to IE 7 at work currently so I can't test it. Am I not suppose to get YES for the other protocols also or am I thinking of this the wrong way.

Cheers

[hoellen]

I use the default ssl_params file and SSL Labs shows me: IE 11 / Win 7 R RSA 2048 (SHA256) TLS 1.2 And on older IE versions I don't get an "handshake_failure" I get an Server sent fatal alert: protocol_version error. Maybe a certificate problem? Here are some information about handshake failures.

hoellen

edit: I wouldn't try to activate older protocols. Browsers who can't use TLS1.2 aren't worth it to change your server settings.

[helangen]

Thanks.

It works on all other browsers that I have tried both mobile and desktop. IE11 on Ein 10 also works fine. I use certs from LetsEncrypt but thought that would work fine. I did think at some point it had to do with this

http://serverfault.com/questions/741706/bug-with-tls-1-2-in-internet-explorer-11-windows-7

https://blogs.msdn.microsoft.com/friis/2012/08/29/tls-1-2-handshake-failure/

Hence the need to enable TLSv1.

Have anyone come across this?

I would rather not have to enable older protocols but kinda need NextCloud at work. They block all other clouds and they dont allow other browsers than IE11.

[Wonderfall]

You can always use another image for this, perhaps there are some issues when using nginx in combination with BoringSSL.

[helangen]

Sure, I could try that. Just easy with your image and Let's Encrypt ;)