Setting ssl_ecdh_curve to secp384r1 does not work
mdounin at mdounin.ru
Tue Jul 5 14:39:48 UTC 2016
On Tue, Jul 05, 2016 at 04:02:21PM +0200, Florian Reinhart wrote:
> Hi Maxim!
> That’s what I thought. However, all clients can access the nginx server on the old Ubuntu 14.04 server, which uses the same config,
> I tested the following clients on OS X 10.11.5, all failed to connect:
> curl, installed from Homebrew: curl 7.49.1 (x86_64-apple-darwin15.5.0) libcurl/7.49.1 OpenSSL/1.0.2h zlib/1.2.5 nghttp2/1.12.0
> Safari 9.1.1 (11601.6.17)
> Chrome 51.0.2704.106
> Firefox 47.0.1
> That’s why I don’t think it is a client issue.
Yes, at least browsers are expected to support secp384r1, so it's
probably something different.
Which certificate do you use? Is it the same as on the old
server? Such a situation can easily happen if the only
certificate available is ECDSA one and uses, e.g., prime256v1 (not
secp384r1), but only secp384r1 is enabled by the configuration.
Looking into nginx error logs might also somewhat help to diagnose
what goes on here.
More information about the nginx