NGINX-1.5.10 フロントXXX.CONF設定、バックエンドXXX.CONF設定

2台構成のNginxのリバースプロキシのConfの設定をしました。WordPress,SSLを考慮しています。SPDY3.1も使用できました。

■フロント側 192.xxx.xxx105

/etc/nginx/nginx.conf
user nginx;
worker_processes 2;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
‘$status $body_bytes_sent “$http_referer” ‘
‘”$http_user_agent” “$http_x_forwarded_for”‘;

access_log /var/log/nginx/access.log main;

sendfile on;
#tcp_nopush on;

keepalive_timeout 65;

#gzip on;
gzip on;
gzip_types text/plain
text/xml
text/css
text/javascript
image/x-icon
application/xml
application/rss+xml
application/json
application/x-javascript;
gzip_disable “MSIE [1-6]\.”;
gzip_disable “Mozilla/4″;

# トークン他
server_tokens off;
ignore_invalid_headers on;

#プロキシー

/etc/nginx/conf.d/proxy.conf
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=czone:4m max_size=50m inactive=120m;
proxy_temp_path /var/tmp/nginx;
proxy_cache_key “$scheme://$host$request_uri”;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

# 設定ファイル読み込み
include /etc/nginx/conf.d/*.conf;
}

=============================

/etc/nginx/conf.d/virtual.conf
upstream backend {
ip_hash;
server 192.XXX.XXX.110:8080;
}

server {

server_name xxx.xxxxx.jp;
rewrite http://proxy.xxxxxxxx.jp$request_uri? permanent;
}

server {
listen 80;
server_name xxxx.xxxx.jp;
root /var/www/html/xxxxx;

access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log debug;

client_max_body_size 36M;
port_in_redirect off;

location ~ /\. { deny all; access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
location = /favicon.ico { access_log off; log_not_found off; }
location /wp-admin { proxy_pass http://backend; }
location ~ .*\.php { proxy_pass http://backend; }
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
log_not_found off;
proxy_pass http://backend;
}
location / {
set $mobile “”;
if ($http_user_agent ~* ‘(DoCoMo|J-PHONE|Vodafone|MOT-|UP\.Browser|DDIPOCKET|ASTEL|PDXGW|Palmscape|Xiin
o|sharp pda browser|Windows CE|L-mode|WILLCOM|SoftBank|Semulator|Vemulator|J-EMULATOR|emobile|mixi-mobile-conve
rter)’) {
set $mobile “@ktai”;
}
if ($http_user_agent ~* ‘(iPhone|iPod|Opera Mini|Android.*Mobile|NetFront|PSP|BlackBerry)’) {
set $mobile “@mobile”;
}
if ($http_cookie ~* “comment_author_|wordpress_(?!test_cookie)|wp-postpass_” ) {
set $do_not_cache 1;
}
set $do_not_cache 0;
if ($request_method != GET) {
set $do_not_cache 1;
}
if ($uri !~* “.(jpg|png|gif|jpeg|css|js|swf|pdf|html|htm)$”) {
set $do_not_cache 1;
}
# Casheing
proxy_no_cache $do_not_cache;
proxy_cache_bypass $do_not_cache;
proxy_cache czone;
proxy_cache_key “$scheme://$host$request_uri$is_args$args$mobile”;
proxy_cache_valid 200 301 302 60m;
proxy_cache_valid 404 5m;
proxy_cache_use_stale error timeout invalid_header updating
http_500 http_502 http_503 http_504;
proxy_pass http://ssmg;

proxy_redirect off;
}
}

server {
listen 443 ssl spdy;
server_name proxy-wp.ssmg.jp;
root /var/www/html/proxy-wp;
client_max_body_size 36M;

# ssl
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;

ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

# Tell the browser we do SPDY
add_header Alternate-Protocol 443:npn-spdy/2;
# spdy
spdy_max_concurrent_streams 50;
spdy_streams_index_size 32;
spdy_recv_timeout 5s;
spdy_keepalive_timeout 15s;
spdy_headers_comp 9;

location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

# Casheing
set $do_not_cache 0;
if ($request_method != GET) {
set $do_not_cache 1;
}
if ($uri !~* “.(jpg|png|gif|jpeg|css|js|swf|pdf|html|htm)$”) {
set $do_not_cache 1;
}
proxy_no_cache $do_not_cache;
proxy_cache_bypass $do_not_cache;
proxy_cache czone;
proxy_cache_key “$scheme://$host$request_uri$is_args$args$mobile”;
proxy_cache_valid 200 301 302 60m;
proxy_cache_valid 404 5m;
proxy_cache_use_stale error timeout invalid_header updating
http_500 http_502 http_503 http_504;
proxy_pass http://backend;
}
}

■バックエンド側 192.XXX.XXX110
/etc/nginx/nginx.conf
ser nginx;
worker_processes 2;

error_log /var/log/nginx/error.log debug;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
‘$status $body_bytes_sent “$http_referer” ‘
‘”$http_user_agent” “$http_x_forwarded_for”‘;

access_log /var/log/nginx/access.log main;

sendfile on;

#keepalive_timeout 0;
keepalive_timeout 30;

# gzip圧縮
gzip on;
gzip_http_version 1.0;
gzip_vary on;
gzip_comp_level 6;
gzip_types text/xml text/css application/xhtml+xml application/xml application/rss+xml application/atom_xml application/x-javascript application/x-httpd-php;
gzip_disable “MSIE [1-6]\.”;

# リバースプロキシの設定
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=czone:4m max_size=50m inactive=120m;
proxy_temp_path /var/lib/nginx/tmp;
proxy_cache_key “$scheme://$host$request_uri”;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
include /etc/nginx/conf.d/*.conf;

=============================

/etc/nginx/conf.d/virtul.conf
server {
listen 8080;
server_name xxxxx.xxxxx.jp;
root /var/www/html/xxxxx;

access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log debug;
client_max_body_size 36M;

location / {
index index.php index.html index.htm;
# static files
if (-f $request_filename) {
expires 14d;
break;
}
# request to index.php
if (!-e $request_filename) {
rewrite ^(.+)$ /index.php?q=$1 last;
}
}

location ~ \.php$ {
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
expires 2h;
}
location ~ (\.ht|\.git|\.svn) {
deny all;
}
}

※SPDYの設定は、80のほうには 設定できない
※リバースプロキシ 80 → 8080  443 → 8080

OPENSSL-1.0.1G のインストール & 自己認証局

先日、OpenSSLに発覚した「Heartbleed」と呼ばれる重大な脆弱性に対応する為、OpenSSL-1.0.1f からOpenSSL-1.0.1g へUPDATしました。

>ダウンロード&Make場所へ移動
# cd /usr/local/src/

>最新OpenSSLをダウンロード
# wget https://www.openssl.org/source/openssl-1.0.1g.tar.gz

>解凍
# tar -xzf openssl-1.0.1g.tar.gz

>移動
# cd ./openssl-1.0.1g

>config, make, make install
# ./config –prefix=/usr –openssldir=/etc/ssl –libdir=lib shared zlib-dynamic
# make
# make install

インストール後のバージョン確認
# openssl
OpenSSL> version
OpenSSL 1.0.1g 7 Apr 2014

※makeでエラー その対応
c_zlib.c: In function ‘bio_zlib_ctrl’:
c_zlib.c:725: error: ‘BIO_ZLIB_CTX’ has no member named ‘ocount’
c_zlib.c:726: error: ‘BIO_ZLIB_CTX’ has no member named ‘odone’
c_zlib.c:765: error: ‘BIO_ZLIB_CTX’ has no member named ‘obuf’
c_zlib.c:767: error: ‘BIO_ZLIB_CTX’ has no member named ‘obuf’
c_zlib.c:768: error: ‘BIO_ZLIB_CTX’ has no member named ‘obuf’
c_zlib.c:770: error: ‘BIO_ZLIB_CTX’ has no member named ‘obufsize’
make[2]: *** [c_zlib.o] エラー 1
make[2]: ディレクトリ `/usr/local/src/openssl/openssl-1.0.1g/crypto/comp’ から出ます
make[1]: *** [subdirs] エラー 1
make[1]: ディレクトリ `/usr/local/src/openssl/openssl-1.0.1g/crypto’ から出ます
make: *** [build_crypto] エラー 1

# yum install zlib-* で解決
installing:
zlib-devel x86_64 1.2.3-29.el6 base 44 k
zlib-static x86_64 1.2.3-29.el6 base 52 k

自己認証局

# cd /etc/pki/tls
# cp -p openssl.cnf openssl.cnf.org  (デフォルトのファイルをコピーしておく)
※openssl.cnf ファイルは2つ存在しており多少違いがあります。
”./CA -newca”の実行時にopenssl-1.0.1fの時には、発生しなかったエラーが発生します。
2つのバックアップをとり、 /etc/pki/tls/openssl.cnf を以下の通り編集し
/etc/ssl/openssl.cnf にコピーして対応しました

>openssl.cnf の修正
# /etc/pki/tls/openssl.cnf
[ req ]
default_bits = 2048

[ req_distinguished_name ]
countryName_default = JP

[ usr_cert ]
basicConstraints=CA:TRUE (CA証明書の発行)
nsCertType = server (サーバ証明書の作成)   ←コメント解除

[ v3_ca ]
nsCertType = sslCA, emailCA      ←コメント解除

> CAスクリプトの修正
# cd /etc/pki/tls/misc
# cp -p CA CA.org
# vi CA
以下の有効期間を任意の日数に変更
if [ -z “$DAYS” ] ; then DAYS=”-days 3650″ ; fi # 10 year
CADAYS=”-days 7300″ # 20 years

>デフォルトのフォルダを待避して空ディレクトリを作成
# cd ../../
# mv CA CA.org
# mkdir CA
※失敗した場合は、CAフォルダを再作成。

> CA作成スクリプトを実行
# cd ./tls/misc
# ./CA -newca
CA certificate filename (or enter to create)
(ファイル名は空のまま[Enter])
Making CA certificate …
Generating a 2048 bit RSA private key
….+++
………………………………..+++
writing new private key to ‘/etc/pki/CA/private/./cakey.pem’
Enter PEM pass phrase: (パスフレーズを入力)
Verifying – Enter PEM pass phrase: (パスフレーズを入力)
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [JP]: JP (国名)
State or Province Name (full name) []:XXXXXX(都道府県)
Locality Name (eg, city) [Default City]:XXXXXXX(市区町村)
Organization Name (eg, company) [Default Company Ltd]:XXXX(組織)
Organizational Unit Name (eg, section) []:(部門)
Common Name (eg, your name or your server’s hostname) []:*.XXXXX.XX (ホスト名等)⇒ ワイルドカード指定
Email Address []:(何も入力せず[Enter])

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:(何も入力せず[Enter])
An optional company name []:(何も入力せず[Enter])
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:(最初に入力したパスフレーズ)
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 9646386112852737689 (0x85ded90f96d93e99)
Validity
Not Before: Apr 4 11:06:24 2014 GMT
Not After : Mar 30 11:06:24 2034 GMT
Subject:
countryName = JP
stateOrProvinceName = XXXXXX
organizationName = XXXX
commonName = *.XXX.XXX ⇒ ワイルドカード指定 
X509v3 extensions:
X509v3 Subject Key Identifier:
C6:FD:32:42:E7:51:EF:4C:1B:AC:F8:B0:94:D1:6D:B4:DA:AA:7D:47
X509v3 Authority Key Identifier:
keyid:C6:FD:32:42:E7:51:EF:4C:1B:AC:F8:B0:94:D1:6D:B4:DA:AA:7D:47

X509v3 Basic Constraints:
CA:TRUE
Netscape Cert Type:
SSL CA, S/MIME CA
Certificate is to be certified until Mar 30 11:06:24 2034 GMT (7300 days)

Write out database with 1 new entries
Data Base Updated

>ブラウザ用のCA証明書を作成
# cd ../../CA/private/
# chmod 0600 cakey.pem
# openssl x509 -inform PEM -outform DER -in ../cacert.pem -out ../cacert.der

>”cacert.pem”と”cacert.der”があることを確認
# ls -l /etc/pki/CA

>証明書要求(CSR)を作成
# cd /tmp (適当なディレクトリへ移動するか新規作成)
# openssl md5 * > rand.dat (乱数ファイルを作成)
# openssl genrsa -rand rand.dat -des3 2048 > key.pem (秘密鍵を作成)
48 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
………………………………………………………………………………………+++
…………………..+++
e is 65537 (0×10001)
Enter pass phrase:(パスフレーズを入力)
Verifying – Enter pass phrase:(パスフレーズを入力)

# openssl req -new -key key.pem -out server.csr  (CSRを作成)
Enter pass phrase for key.pem:(使用した秘密鍵のパスフレーズを入力)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [JP]: JP (国名)
State or Province Name (full name) []:XXXXXX(都道府県)
Locality Name (eg, city) [Default City]:XXXXXXX(市区町村)
Organization Name (eg, company) [Default Company Ltd]:XXXX(組織)
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:*.XXXXX.XX (ホスト名等)⇒ ワイルドカード指定
Email Address []:(何も入力せず[Enter])

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:(何も入力せず[Enter])
An optional company name []:(何も入力せず[Enter])

>”key.pem”と”server.csr”ができていることを確認
# ls -l

>自己認証局で署名
# cd /etc/pki/tls/misc/
# openssl ca -out /var/tmp/cert.pem -infiles /var/tmp/server.csr
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem::(パスフレーズを入力)
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 9646386112852737690 (0x85ded90f96d93e9a)
Validity
Not Before: Apr 4 11:39:25 2014 GMT
Not After : Apr 4 11:39:25 2015 GMT
Subject:
countryName = JP
stateOrProvinceName = Kanagawa
organizationName = Axel
commonName = *.ecoya.jp
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
80:17:82:6F:AE:A1:9E:CC:A4:F2:D0:C0:E5:C3:42:6C:8B:4A:7E:AC
X509v3 Authority Key Identifier:
keyid:C6:FD:32:42:E7:51:EF:4C:1B:AC:F8:B0:94:D1:6D:B4:DA:AA:7D:47

Certificate is to be certified until Apr 4 11:39:25 2015 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

> ls -l /tmp
“cert.pem”ができていることを確認
※”cert.pem”と”key.pem”をペアで使用

>補足1
サーバ証明書と秘密鍵を使用する時に、Webサーバ起動時に秘密鍵のパスフレーズ入力しない設定
# cd /tmp
# openssl rsa -in key.pem -out key.pem.nopassword
nter pass phrase for key.pem:(パスフレーズを入力)
writing RSA key
※作成した”key.pem.nopassword”を”key.pem”の代わりに使用する

>補足2
サーバ証明書をWindows(IIS等)で使用するために変換する
# openssl pkcs12 -export -in cert.pem -inkey key.pem -out cert.p12
※ここで作成された”cert.p12″をMMCの証明書スナップインでインポート
(合わせて[信頼されたルート証明機関]にはC証明書”cacert.pem”をインポート)

>補足3
署名時にエラーが出る場合
# openssl ca -out /var/tmp/cert.pem -infiles /var/tmp/server.csr
~ 省略 ~
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
※このエラーが出る場合、以前発行した証明要求の失効処理する

# openssl ca -revoke /etc/pki/CA/newcerts/85DED90F96D93E99.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:(パスフレーズを入力)
Revoking Certificate 85DED90F96D93E99.
Data Base Updated

補足4
“openssl ciphers cipherlist ‘暗号スイートのリスト’ -v”コマンドで利用できる暗号スイートの一覧を表示
# openssl ciphers cipherlist ‘HIGH:!aNULL:!MD5′ -v
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
SRP-DSS-AES-256-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=AES(256) Mac=SHA1
SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-RSA-AES256-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA1
ECDH-ECDSA-AES256-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA1
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1
SRP-DSS-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=3DES(168) Mac=SHA1
SRP-RSA-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
PSK-3DES-EDE-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=3DES(168) Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
SRP-DSS-AES-128-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=AES(128) Mac=SHA1
SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-RSA-AES128-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA1
ECDH-ECDSA-AES128-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA1
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1

rfwbs-sliderfwbs-sliderfwbs-sliderfwbs-slide