I have Intermediate config generated with https://ssl-config.mozilla.org/ (nginx 1.16.1, intermediate config, OpenSSL 1.0.2g):
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
(and other settings from generated config like session, stapling, dhparams, etc)
But it does not pass the test and i see purple question mark and "Non-compliant" level.
If i change ssl_prefer_server_ciphers on;, it passes the test and marks it as "Intermediate".
rwky
commented
4 years ago
I have Intermediate config generated with https://ssl-config.mozilla.org/ (nginx 1.16.1, intermediate config, OpenSSL 1.0.2g):
But it does not pass the test and i see purple question mark and "Non-compliant" level. If i change
ssl_prefer_server_ciphers on;, it passes the test and marks it as "Intermediate".Does the https://observatory.mozilla.org/ TLS test contradict with https://ssl-config.mozilla.org/ recommendations?
Which ssl_prefer_server_ciphers should I actually use for Intermediate compatibility level - server preference or client preference?