Today EngineYard remind me SHA-1 signed SSL cert will get red X across the lock in Chrome version 42, which will be released in next few weeks.

So I double check my sites to make sure they are correct, but I found out...

Shit! Obsolete cryptography...
Hmm, wait, our sites are using wildcard SSL cert. The other servers are using the same private/public key. Let me check other server.

Oops, other server are good. That mean the problem is not cert, but server config?!

The first one is using Nginx, and the second one is using AWS ELB.

We are using pre-defined policy by AWS, which should be good.

Google again and again, most up-to-date Nginx config tutorial told me to set ssl_ciphers like this:

ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;  

However Chrome show me that is obsolete cryptography, SHA-1 signed...

Lucky from one of the tutorial, I found a link to Mozilla wiki, there is a more complete config there, for apache, nginx, and other servers. Follow that wiki, I changed Nginx config to:

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';  

Run /etc/init.d/nginx configtest without any problem, then restart Nginx.

Now Chrome show me that both server SSL are same. Good.

Of course, run a test on https://www.ssllabs.com

Done!

References: