Setting ssl_ecdh_curve to secp384r1 does not work

Florian Reinhart florian at bottledsoftware.de
Tue Jul 5 14:02:21 UTC 2016


Hi Maxim!

That’s what I thought. However, all clients can access the nginx server on the old Ubuntu 14.04 server, which uses the same config,

I tested the following clients on OS X 10.11.5, all failed to connect:

curl, installed from Homebrew: curl 7.49.1 (x86_64-apple-darwin15.5.0) libcurl/7.49.1 OpenSSL/1.0.2h zlib/1.2.5 nghttp2/1.12.0
Safari 9.1.1 (11601.6.17)
Chrome 51.0.2704.106
Firefox 47.0.1

That’s why I don’t think it is a client issue.

Best,
Florian

> On 05 Jul 2016, at 15:20, Maxim Dounin <mdounin at mdounin.ru> wrote:
> 
> Hello!
> 
> On Tue, Jul 05, 2016 at 02:00:04PM +0200, Florian Reinhart wrote:
> 
>> Hi all,
>> 
>> I was running nginx 1.9.12 on Ubuntu 14.04 built from the source tarball with these options: --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-openssl=/openssl-1.0.2g
>> 
>> While switching to a new server, I also wanted to switch to the nginx Docker container using my existing nginx config.
>> 
>> First, I discovered an issue with missing ALPN support due to an old OpenSSL version in Debian Jessie (see https://github.com/nginxinc/docker-nginx/issues/76 ). Therefore, I switched to the Alpine image and discovered another issue.
>> 
>> The issue seems to be related to the ssl_ecdh_curve setting. In my config I set it to secp384r1. With this setting present clients won’t connect. This is what curl outputs:
>> 
>> curl -vvvv -k  "https://localhost"
>> * Rebuilt URL to: https://localhost/
>> *   Trying ::1...
>> * connect to ::1 port 443 failed: Connection refused
>> *   Trying 127.0.0.1...
>> * Connected to localhost (127.0.0.1) port 443 (#0)
>> * ALPN, offering h2
>> * ALPN, offering http/1.1
>> * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
>> * successfully set certificate verify locations:
>> *   CAfile: /usr/local/etc/openssl/cert.pem
>>  CApath: none
>> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
>> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
>> * TLSv1.2 (IN), TLS header, Unknown (21):
>> * TLSv1.2 (IN), TLS alert, Server hello (2):
>> * error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
>> * Closing connection 0
>> curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
>> 
>> 
>> When I remove ssl_ecdh_curve from my config or set it to auto (which is the default) everything works fine.
>> 
>> To investigate this issue further I created a virtual machine running Ubuntu 16.04 and installed the latest nginx from the official package source: http://nginx.org/en/linux_packages.html I was able to reproduce the exact same issue in this virtual machine.
>> 
>> Do you have an idea what’s going on here? Please let me know if you need any additional information.
> 
> It looks like the client doesn't support the curve you've 
> configured, and non-ECDH ciphers are disabled.
> 
> -- 
> Maxim Dounin
> http://nginx.org/ <http://nginx.org/>
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org <mailto:nginx at nginx.org>
> http://mailman.nginx.org/mailman/listinfo/nginx <http://mailman.nginx.org/mailman/listinfo/nginx>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20160705/c93f3956/attachment.html>


More information about the nginx mailing list