nginx centos build only supports SSLv3 and ignores ssl_protocols[solved -- found an issue in nginx]

Rob Stradling rob.stradling at
Thu Oct 2 12:49:05 UTC 2014

Hi.  Visit and check 
out "Protocol Details -> Signature algorithms".  I expect you'll find 
that your browser doesn't offer SHA512/RSA.

Judging from a recent discussion on the IETF TLS list [1], there seems 
to be some confusion over whether the TLS signature_algorithms extension 
should 1) restrict the permitted certificate signature algorithms and 
the non-certificate uses of digital signatures in the TLS protocol or 2) 
only restrict the non-certificate uses of digital signatures in the TLS 

Those taking view 2 don't offer SHA512/RSA because no cipher suites 
require it.  I've concluded that, sadly, certs signed with SHA512/RSA 
basically don't work for TLS.


On 02/10/14 07:00, mayak wrote:
> hi all,
> indeed -- i generated a new set of certs and tested:
> a signature of sha256 results in TLSv* begin offered
> a signature of sha512 results in TLSv* _not_ being offered
> certs with 4096 bit keys work fine
> i suspect that there is a variable that is not long enough to support
> the signature ...
> thanks!
> m

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the nginx mailing list