Prefer ECDSA certificates over RSA if both are present

Previously it was prefering RSA certificates over ECDSA certificates as the cipher ordering when not specifying them directly was in that order.

This made the ECDSA certificate never be used if the client user-agent supported RSA certificates.

Author: andytson-inviqa

nginx/README.md

@@ -73,7 +73,7 @@ WEB_HTTPS_OFFLOADED | Whether the HTTPS traffic has been forwarded without SSL t
 WEB_HTTPS_ONLY      | Whether to redirect all HTTP traffic to HTTPS | true/false | $WEB_HTTPS (deprecated: if $WEB_HTTPS=true then false)
 WEB_RESOLVER        | DNS resolver for proxy_pass and ssl_stapling_verify | ip address |
 WEB_REVERSE_PROXIED | Whether to interpret X-Forwarded-Proto as the $custom_scheme and $custom_https emulation. | true/false | true
-WEB_SSL_CIPHERS | The enabled SSL/TLS server ciphers | the format understood by the OpenSSL library | ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:${SSL_CIPHERS_3DES_DH}:${SSL_CIPHERS_ROBOT}:!aNULL:!MD5:!DSS
+WEB_SSL_CIPHERS | The enabled SSL/TLS server ciphers | the format understood by the OpenSSL library | ECDH+ECDSA+AESGCM:ECDH+aRSA+AESGCM:DH+AESGCM:ECDH+ECDSA+AES256:ECDH+aRSA+AES256:DH+AES256:ECDH+ECDSA+AES128:ECDH+aRSA+AES128:DH+AES:${SSL_CIPHERS_3DES_DH}:${SSL_CIPHERS_ROBOT}:!aNULL:!MD5:!DSS
 WEB_SSL_CIPHERS_3DES_FIX | Whether to disable 3DES ciphers found weak | true/false | false
 WEB_SSL_CIPHERS_ROBOT_FIX | Whether to disable RSA encryption ciphers found weak (ROBOT) | true/false | false
 WEB_SSL_FULLCHAIN | The location of the SSL certificate and intermediate chain file | absolute filename | /etc/ssl/certs/fullchain.pem

nginx/usr/local/share/env/40-stack

@@ -39,7 +39,7 @@ else
   SSL_CIPHERS_ROBOT="RSA+AESGCM:RSA+AES:${SSL_CIPHERS_3DES_RSA}"
 fi
 
-DEFAULT_SSL_CIPHERS="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:${SSL_CIPHERS_3DES_DH}:${SSL_CIPHERS_ROBOT}:!aNULL:!MD5:!DSS"
+DEFAULT_SSL_CIPHERS="ECDH+ECDSA+AESGCM:ECDH+aRSA+AESGCM:DH+AESGCM:ECDH+ECDSA+AES256:ECDH+aRSA+AES256:DH+AES256:ECDH+ECDSA+AES128:ECDH+aRSA+AES128:DH+AES:${SSL_CIPHERS_3DES_DH}:${SSL_CIPHERS_ROBOT}:!aNULL:!MD5:!DSS"
 
 export WEB_SSL_CIPHERS=${WEB_SSL_CIPHERS:-$DEFAULT_SSL_CIPHERS}
 export WEB_SSL_FULLCHAIN=${WEB_SSL_FULLCHAIN:-/etc/ssl/certs/fullchain.pem}

php/apache/README.md

@@ -127,7 +127,7 @@ WEB_HTTPS_OFFLOADED | Whether the HTTPS traffic has been forwarded without SSL t
 WEB_HTTPS_ONLY      | Whether to redirect all HTTP traffic to HTTPS | true/false | $WEB_HTTPS (deprecated: if $WEB_HTTPS=true then false)
 WEB_INCLUDES | A space separated list of files in /etc/apache2/sites-enabled/ to include. ".conf" will be appended automatically. Globs are accepted. | space separated list of partial file names | 000-default-*
 WEB_REVERSE_PROXIED | Whether to interpret X-Forwarded-Proto as the $custom_scheme and $custom_https emulation. | true/false | true
-WEB_SSL_CIPHERS | The enabled SSL/TLS server ciphers | the format understood by the OpenSSL library | ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:${SSL_CIPHERS_3DES_DH}:${SSL_CIPHERS_ROBOT}:!aNULL:!MD5:!DSS
+WEB_SSL_CIPHERS | The enabled SSL/TLS server ciphers | the format understood by the OpenSSL library | ECDH+ECDSA+AESGCM:ECDH+aRSA+AESGCM:DH+AESGCM:ECDH+ECDSA+AES256:ECDH+aRSA+AES256:DH+AES256:ECDH+ECDSA+AES128:ECDH+aRSA+AES128:DH+AES:${SSL_CIPHERS_3DES_DH}:${SSL_CIPHERS_ROBOT}:!aNULL:!MD5:!DSS
 WEB_SSL_CIPHERS_3DES_FIX | Whether to disable 3DES ciphers found weak | true/false | false
 WEB_SSL_CIPHERS_ROBOT_FIX | Whether to disable RSA encryption ciphers found weak (ROBOT) | true/false | false
 WEB_SSL_FULLCHAIN | The location of the SSL certificate and intermediate chain file | absolute filename | /etc/ssl/certs/fullchain.pem

php/nginx/README.md

@@ -134,7 +134,7 @@ WEB_HTTPS_ONLY      | Whether to redirect all HTTP traffic to HTTPS | true/false
 WEB_HTTP2_TLS | Whether to enable HTTP2 over TLS on HTTPS port. If WEB_HTTPS_OFFLOADED enabled then this is ignored as TLS is not used | true/false | true
 WEB_HTTP2_PLAINTEXT_NONBC | Whether to enable HTTP2 over plaintext on HTTP port (or HTTPS if WEB_HTTPS_OFFLOADED enabled). Nginx doesn't support h2c for plain HTTP protocol so will not support HTTP 1.1/1.0 if enabled | true/false | false
 WEB_REVERSE_PROXIED | Whether to interpret X-Forwarded-Proto as the $custom_scheme and $custom_https emulation. | true/false | true
-WEB_SSL_CIPHERS | The enabled SSL/TLS server ciphers | the format understood by the OpenSSL library | ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:${SSL_CIPHERS_3DES_DH}:${SSL_CIPHERS_ROBOT}:!aNULL:!MD5:!DSS
+WEB_SSL_CIPHERS | The enabled SSL/TLS server ciphers | the format understood by the OpenSSL library | ECDH+ECDSA+AESGCM:ECDH+aRSA+AESGCM:DH+AESGCM:ECDH+ECDSA+AES256:ECDH+aRSA+AES256:DH+AES256:ECDH+ECDSA+AES128:ECDH+aRSA+AES128:DH+AES:${SSL_CIPHERS_3DES_DH}:${SSL_CIPHERS_ROBOT}:!aNULL:!MD5:!DSS
 WEB_SSL_CIPHERS_3DES_FIX | Whether to disable 3DES ciphers found weak | true/false | false
 WEB_SSL_CIPHERS_ROBOT_FIX | Whether to disable RSA encryption ciphers found weak (ROBOT) | true/false | false
 WEB_SSL_FULLCHAIN | The location of the SSL certificate and intermediate chain file | absolute filename | /etc/ssl/certs/fullchain.pem

php/shared/usr/local/share/env/40-stack

@@ -71,7 +71,7 @@ else
   SSL_CIPHERS_ROBOT="RSA+AESGCM:RSA+AES:${SSL_CIPHERS_3DES_RSA}"
 fi
 
-DEFAULT_SSL_CIPHERS="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:${SSL_CIPHERS_3DES_DH}:${SSL_CIPHERS_ROBOT}:!aNULL:!MD5:!DSS"
+DEFAULT_SSL_CIPHERS="ECDH+ECDSA+AESGCM:ECDH+aRSA+AESGCM:DH+AESGCM:ECDH+ECDSA+AES256:ECDH+aRSA+AES256:DH+AES256:ECDH+ECDSA+AES128:ECDH+aRSA+AES128:DH+AES:${SSL_CIPHERS_3DES_DH}:${SSL_CIPHERS_ROBOT}:!aNULL:!MD5:!DSS"
 
 export WEB_SSL_CIPHERS=${WEB_SSL_CIPHERS:-$DEFAULT_SSL_CIPHERS}
 export WEB_SSL_FULLCHAIN=${WEB_SSL_FULLCHAIN:-/etc/ssl/certs/fullchain.pem}