Setting ssl_ecdh_curve to secp384r1 does not work
mdounin at mdounin.ru
Tue Jul 5 13:20:26 UTC 2016
On Tue, Jul 05, 2016 at 02:00:04PM +0200, Florian Reinhart wrote:
> Hi all,
> I was running nginx 1.9.12 on Ubuntu 14.04 built from the source tarball with these options: --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-openssl=/openssl-1.0.2g
> While switching to a new server, I also wanted to switch to the nginx Docker container using my existing nginx config.
> First, I discovered an issue with missing ALPN support due to an old OpenSSL version in Debian Jessie (see https://github.com/nginxinc/docker-nginx/issues/76 ). Therefore, I switched to the Alpine image and discovered another issue.
> The issue seems to be related to the ssl_ecdh_curve setting. In my config I set it to secp384r1. With this setting present clients won’t connect. This is what curl outputs:
> curl -vvvv -k "https://localhost"
> * Rebuilt URL to: https://localhost/
> * Trying ::1...
> * connect to ::1 port 443 failed: Connection refused
> * Trying 127.0.0.1...
> * Connected to localhost (127.0.0.1) port 443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> * successfully set certificate verify locations:
> * CAfile: /usr/local/etc/openssl/cert.pem
> CApath: none
> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> * TLSv1.2 (IN), TLS header, Unknown (21):
> * TLSv1.2 (IN), TLS alert, Server hello (2):
> * error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
> * Closing connection 0
> curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
> When I remove ssl_ecdh_curve from my config or set it to auto (which is the default) everything works fine.
> To investigate this issue further I created a virtual machine running Ubuntu 16.04 and installed the latest nginx from the official package source: http://nginx.org/en/linux_packages.html I was able to reproduce the exact same issue in this virtual machine.
> Do you have an idea what’s going on here? Please let me know if you need any additional information.
It looks like the client doesn't support the curve you've
configured, and non-ECDH ciphers are disabled.
More information about the nginx