ECC Certificates and SNI

Aleksandar Lazic al-nginx at
Sun Aug 31 15:23:38 UTC 2014


Dear B. R. 

It looks like this is a firefox isssue. 

With chomium 38 and curl and s_client I was able to connect. 

openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Thu Aug 7 13:42:02 UTC 2014
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security
-Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions
-Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT

/usr/sbin/nginx -c /etc/nginx/nginx.conf -V
nginx version: nginx/1.7.4
built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) 
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
--http-log-path=/var/log/nginx/access.log --pid-path=/var/run/
--http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx
--group=nginx --with-http_ssl_module --with-http_realip_module
--with-http_addition_module --with-http_sub_module
--with-http_dav_module --with-http_flv_module --with-http_mp4_module
--with-http_gunzip_module --with-http_gzip_static_module
--with-http_random_index_module --with-http_secure_link_module
--with-http_stub_status_module --with-http_auth_request_module
--with-mail --with-mail_ssl_module --with-file-aio
--with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Wformat-security
-Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions
-Wl,-z,relro -Wl,--as-needed' --with-ipv6

ldd /usr/sbin/nginx => (0x00007fff54dfe000) => /lib/x86_64-linux-gnu/
(0x00007fdac5938000) => /lib/x86_64-linux-gnu/
(0x00007fdac56ff000) => /lib/x86_64-linux-gnu/ (0x00007fdac54c1000) => /lib/x86_64-linux-gnu/
(0x00007fdac5263000) => /lib/x86_64-linux-gnu/
(0x00007fdac4e88000) => /lib/x86_64-linux-gnu/ (0x00007fdac4c70000) => /lib/x86_64-linux-gnu/ (0x00007fdac48b1000)
 /lib64/ (0x00007fdac5b63000) => /lib/x86_64-linux-gnu/ (0x00007fdac46ad000)

ldd $(which openssl) => (0x00007fffdddfe000) => /lib/x86_64-linux-gnu/
(0x00007fbd557c6000) => /lib/x86_64-linux-gnu/
(0x00007fbd553eb000) => /lib/x86_64-linux-gnu/ (0x00007fbd5502b000) => /lib/x86_64-linux-gnu/ (0x00007fbd54e27000) => /lib/x86_64-linux-gnu/ (0x00007fbd54c10000)
 /lib64/ (0x00007fbd55a32000) 


cheers a l 

Am 16-08-2014 11:53, schrieb B.R.: 

> Hello,
> The error comes from OpenSSL. 
> From its name, I wouldsay the constant being check is one that OpenSSL sets during handshake. 
> From its name too, I wouls say this applies to a SSLv3 handshake. OpenSSL has a corresponding TLSv1 constant named DTLS1_SEND_SERVER_KEY_EXCHANGE. 
> Seems like a bug, possibly related to the (non widespread) use of ECC certificates. 
> Before really calling out for a bug: you say SSLv3 is disabled. Please be really sure of that.
> Check the OpenSSL library your nginx has been linked against. I suggest you update that package on your system and retry. 
> Try balance between sufficiently up-to-date version and avoinding versions with well-known vulnerabilities.
> Hope I helped, 
> ---
> B. R. 
> _______________________________________________
> nginx mailing list
> nginx at
> [1]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list