Setting ssl_ecdh_curve to secp384r1 does not work

Maxim Dounin mdounin at
Tue Jul 5 14:39:48 UTC 2016


On Tue, Jul 05, 2016 at 04:02:21PM +0200, Florian Reinhart wrote:

> Hi Maxim!
> That’s what I thought. However, all clients can access the nginx server on the old Ubuntu 14.04 server, which uses the same config,
> I tested the following clients on OS X 10.11.5, all failed to connect:
> curl, installed from Homebrew: curl 7.49.1 (x86_64-apple-darwin15.5.0) libcurl/7.49.1 OpenSSL/1.0.2h zlib/1.2.5 nghttp2/1.12.0
> Safari 9.1.1 (11601.6.17)
> Chrome 51.0.2704.106
> Firefox 47.0.1
> That’s why I don’t think it is a client issue.

Yes, at least browsers are expected to support secp384r1, so it's 
probably something different. 

Which certificate do you use?  Is it the same as on the old 
server?  Such a situation can easily happen if the only 
certificate available is ECDSA one and uses, e.g., prime256v1 (not 
secp384r1), but only secp384r1 is enabled by the configuration.

Looking into nginx error logs might also somewhat help to diagnose 
what goes on here.

Maxim Dounin

More information about the nginx mailing list