ECDHE key exchange with TLSv1

Calomel Org kepler at
Sat Jul 10 00:03:55 MSD 2010

Does Nginx support the elliptic curve cryptography ciphers like
ECDHE-ECDSA-AES256-SHA available through OpenSSL v1.0.0a ?

I have built OpenSSL v1.0.0a and placed it in a separate directory. I
then built nginx with --with-cc-opt="-I /path_openssl/include/"
--with-ld-opt="-L /path_openssl/lib/" and it builds fine.

Nginx.conf has the following for SSL:

     ## SSL Certs
      ssl on;
      ssl_certificate /ssl/host.com_ssl.crt; 
      ssl_certificate_key /ssl/host_ssl.key; 
      ssl_ciphers ECDHE-ECDSA-AES256-SHA:AES256-SHA;
     #ssl_dhparam /ssl/host_dh.pem;
      ssl_prefer_server_ciphers on;
      ssl_protocols TLSv1;
      ssl_session_cache shared:SSL:1m;
      ssl_session_timeout 5m;

The daemon starts up correctly, but clients will only negotiate their
SSL connection as AES256-SHA. 

Does "ssl_dhparam" need a PEM string? Any examples?

BTW, I found another post in the archives where Maxim Dounin said
support was not available as of October 2009.

Build error --with-debug; ECDHE key exchange TLS problem.[nginx 0.7.62],11737,11737

   Calomel @
   Open Source Research and Reference

More information about the nginx mailing list