> and Firefox refuses to connect to it at all due to weak ciphers:
It's not a weak cipher. I get the same error, but the cipher the server selects is TLS_ECDHE_RSA_WITH_128_SHA (0xc011). If I've got my SSL best-practices straight, that's not a bad choice.
The server, however, also selected SSL 3.0. My understanding is that you can't use that cipher with SSL 3.0 because it didn't exist. Firefox thus aborts the connection; note the error: "…cipher_disallowed_for_version" (of SSL).
I've seen this before on a server I had, and it had the same behavior. I'm nearly certain this is a bug on the server side, perhaps in OpenSSL. The server I had made some pretty nonsensical decisions in the server hello, such as the above with Firefox, and with Chrome, selecting TLS 1.0 even though that was disabled. I asked about it on SO[1], but never got a reply. (For me, it's no longer an issue; we enabled TLS on that server for hopefully obvious reasons.) Firefox and Chrome's client hellos are pretty similar, but not the same, and I never figured out the difference that caused the server to choose SSL or TLS over the other.
It's not a weak cipher. I get the same error, but the cipher the server selects is TLS_ECDHE_RSA_WITH_128_SHA (0xc011). If I've got my SSL best-practices straight, that's not a bad choice.
The server, however, also selected SSL 3.0. My understanding is that you can't use that cipher with SSL 3.0 because it didn't exist. Firefox thus aborts the connection; note the error: "…cipher_disallowed_for_version" (of SSL).
I've seen this before on a server I had, and it had the same behavior. I'm nearly certain this is a bug on the server side, perhaps in OpenSSL. The server I had made some pretty nonsensical decisions in the server hello, such as the above with Firefox, and with Chrome, selecting TLS 1.0 even though that was disabled. I asked about it on SO[1], but never got a reply. (For me, it's no longer an issue; we enabled TLS on that server for hopefully obvious reasons.) Firefox and Chrome's client hellos are pretty similar, but not the same, and I never figured out the difference that caused the server to choose SSL or TLS over the other.
[1]: http://stackoverflow.com/questions/25146651/why-is-nginx-sel...