Re: nginx, and cloudflare (and maybe trixie?)

To: Antonio Russo <aerusso@aerusso.net>
Cc: "debian-user@lists.debian.org" <debian-user@lists.debian.org>
Subject: Re: nginx, and cloudflare (and maybe trixie?)
From: Dan Ritter <dsr@randomstring.org>
Date: Mon, 11 Aug 2025 07:09:08 -0400
Message-id: <[🔎] 20250811110908.oeccuiopm7y7uyaf@randomstring.org>
In-reply-to: <[🔎] d08add2a-d0f5-49a7-a42a-1b1e06e6c813@aerusso.net>
References: <[🔎] d08add2a-d0f5-49a7-a42a-1b1e06e6c813@aerusso.net>

Antonio Russo wrote: 
> In case anyone else is using nginx and cloudflare:
> 
> The documentation for ssl options on your origin server that cloudflare
> provides [1] indicate that you should use
> 
>  ssl_prefer_server_ciphers on;
> 
> I found that setting this option caused a
> 
>  SSL_do_handshake() failed (SSL: error:????????:SSL routines::bad cipher) while SSL handshaking
> 
> error, at least after upgrading to trixie.  This manifests as a generic 525 error on the browser.
> 
> It's not clear to me what the implications of setting this to "off" are (the default for
> trixie).
> 
> 
> [1] https://developers.cloudflare.com/ssl/origin-configuration/cipher-suites/


It seems likely to me that you should take the error at face
value and check to see whether you are trying for an SSL cipher
that Cloudflare does not support.

The same page states that you should use:

ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES;

Is that what you have?

If it is, and nginx has been restarted, you should report the
issue to Cloudflare.

-dsr-

Reply to:

References:
- nginx, and cloudflare (and maybe trixie?)
  - From: Antonio Russo <aerusso@aerusso.net>

Prev by Date: Re: Can/should I delete /tmp partition?
Next by Date: How do I disable broadcast message?
Previous by thread: nginx, and cloudflare (and maybe trixie?)
Next by thread: How does bash interpret tilde character?
Index(es):
- Date
- Thread