<div dir="ltr"> I've been using ECDSA without issue on 1.7.10 with LibreSSL 2.1.4. Method to generate the key was:<div><br></div><div>openssl ecparam -out ec_key.pem -name secp384r1 -genkey</div><div>openssl req -newkey ec:ec_key.pem -nodes -sha256 -keyout www.domain.tld.key -new -out www.domain.tld.csr<br></div><div><br></div><div> Then I'm declaring the DSA options in ssl_ciphers and defining ssl_ecdh_curve:</div><div><br></div><div> ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA;<br></div><div><br></div><div>ssl_ecdh_curve secp384r1;<br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><b style="color:rgb(25,25,25)"><div style="color:rgb(0,0,0);font-weight:normal"><b style="color:rgb(25,25,25)"><font face="Lucida Grande" size="1"><div style="color:rgb(0,0,0);font-weight:normal"><br><table cellspacing="0" cellpadding="0" border="0" style="font-family:helvetica,sans-serif;font-size:12px"><tbody><tr><td width="90" style="text-align:center;border-right-width:1px;border-right-style:solid;border-right-color:rgb(186,186,186)"><img src="http://marketing.wdcdn.net/wp-content/themes/email_images/sigimg/wdpiclogob_4x.png" alt="userimage" width="65" style="padding-bottom:5px"></td><td style="padding-left:15px"><p style="margin:1pt;padding:0px;color:rgb(37,173,224)">Scott Larson<a href="https://www.google.com/maps/place/4216+Glencoe+Ave,+Marina+Del+Rey,+CA+90292/@33.9892151,-118.4421334,17z/data=!3m1!4b1!4m2!3m1!1s0x80c2ba88ffae914d:0x14e1d00084d4d09c" style="color:rgb(17,85,204)" target="_blank"><img src="http://marketing.wdcdn.net/wp-content/themes/email_images/sigimg/labadgeg_4x.png" alt="los angeles" width="13" style="margin:2px 0px 0px 4px"></a></p><p style="margin:1pt;padding:0px 0px 6px;color:rgb(37,173,224)">Lead Systems Administrator</p><a href="https://www.wiredrive.com/" style="color:rgb(17,85,204)" target="_blank"><img src="http://marketing.wdcdn.net/wp-content/themes/email_images/wdlogofooter_4x.png" alt="wdlogo" width="66" style="padding-left:2px;padding-right:2px"></a> <a href="https://www.linkedin.com/company/wiredrive" style="color:rgb(17,85,204)" target="_blank"><img src="http://marketing.wdcdn.net/wp-content/themes/email_images/sigimg/ic_in2_4x.png" alt="linkedin" width="13"></a> <a href="https://www.twitter.com/wiredrive" style="color:rgb(17,85,204)" target="_blank"><img src="http://marketing.wdcdn.net/wp-content/themes/email_images/sigimg/ic_tw_4x.png" alt="facebook" width="13"></a> <a href="https://www.facebook.com/wiredrive" style="color:rgb(17,85,204)" target="_blank"><img src="http://marketing.wdcdn.net/wp-content/themes/email_images/sigimg/ic_fb_4x.png" alt="twitter" width="13"></a> <a href="https://www.instagram.com/wiredrive" style="color:rgb(17,85,204)" target="_blank"><img src="http://marketing.wdcdn.net/wp-content/themes/email_images/sigimg/ic_ig_4x.png" alt="instagram" width="13"></a><p style="margin:1pt;padding:0px;color:rgb(158,158,158);font-size:11px">T <a href="tel:310%20823%208238%20x1106" value="+13108238238" style="color:rgb(17,85,204)" target="_blank">310 823 8238 x1106</a> | M <a href="tel:310%20904%208818" value="+13109048818" style="color:rgb(17,85,204)" target="_blank">310 904 8818</a></p></td></tr></tbody></table></div><div style="color:rgb(0,0,0);font-weight:normal"><div style="margin:0px"><div style="margin:0px"><font color="#007EFD"><span style="color:rgb(0,0,0)"><div style="margin:0px"><font color="#2498FC"><span style="color:rgb(0,0,0)"><div style="margin:0px;color:rgb(120,120,120)"><div style="margin:0px"><font color="#2498FC"></font></div></div></span></font></div></span></font></div></div></div></font></b></div></b></div></div></div></div></div>
<br><div class="gmail_quote">On Tue, Mar 10, 2015 at 3:25 AM, <span dir="ltr"><<a href="mailto:TheGrandChamp@gmx.de" target="_blank">TheGrandChamp@gmx.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="font-family:Verdana;font-size:12.0px"><div>
<p>Hi,</p>
<p> </p>
<p>I compiled nginx 1.7.10 + LibreSSL 2.1.4, but am not able to use ECC certificates.</p>
<p> </p>
<p>nginx -V:</p>
<p>nginx version: nginx/1.7.10</p>
<p>built by gcc 4.7.2 (Debian 4.7.2-5) </p>
<p>TLS SNI support enabled</p>
<p>configure arguments: --with-openssl=/root/git/build_nginx/build/libressl-2.1.4 --with-pcre=/root/git/build_nginx/build/pcre-8.36 --add-module=/root/git/build_nginx/build/echo-nginx-module-0.57 --with-ld-opt=-lrt --prefix=/usr/local/nginx --conf-path=/etc/nginx-libressl/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-file-aio --with-http_spdy_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_secure_link_module --with-http_sub_module --with-http_xslt_module</p>
<p> </p>
<p><span>Using this script: <a href="https://gist.github.com/leonklingele/a669803060fa92817f64" target="_blank"><span>https://gist.github.com/leonklingele/a669803060fa92817f64</span></a></span></p>
<p> </p>
<p>nginx error log gives me these messages:</p>
<p>2015/03/09 17:00:11 [notice] 6484#0: signal process started</p>
<p>2015/03/09 17:00:15 [alert] 6486#0: *732628 ignoring stale global SSL error (SSL: error:14085042:SSL routines:SSL3_CTX_CTRL:called a function you should not call) while SSL handshaking, client: xxx.xxx.xxx.xxx, server: <a href="http://0.0.0.0:443" target="_blank">0.0.0.0:443</a></p>
<p>2015/03/09 17:01:23 [notice] 6785#0: signal process started</p>
<p>2015/03/09 17:01:25 [alert] 6787#0: *733012 ignoring stale global SSL error (SSL: error:14085042:SSL routines:SSL3_CTX_CTRL:called a function you should not call) while SSL handshaking, client: xxx.xxx.xxx.xxx, server: <a href="http://0.0.0.0:443" target="_blank">0.0.0.0:443</a></p>
<p>2015/03/09 17:05:27 [notice] 7479#0: signal process started</p>
<p>2015/03/09 17:05:35 [alert] 7481#0: *734270 ignoring stale global SSL error (SSL: error:14085042:SSL routines:SSL3_CTX_CTRL:called a function you should not call) while SSL handshaking, client: xxx.xxx.xxx.xxx, server: <a href="http://0.0.0.0:443" target="_blank">0.0.0.0:443</a></p>
<p> </p>
<p>RSA certificates work perfectly fine.</p>
<p>I generated the ECDSA CSR (for Comodo) using:</p>
<p>$ openssl ecparam -out private.key -name secp384r1 -genkey</p>
<p>$ openssl req -new -key private.key -nodes -out request.csr</p>
<p> </p>
<p>Is this issue related to nginx or LibreSSL?</p>
<p> </p>
<p><span>Also see: <a href="http://forum.nginx.org/read.php?2,256381,256381#msg-256381" target="_blank"><span>http://forum.nginx.org/read.php?2,256381,256381#msg-256381</span></a></span></p>
<p> </p>
<p> </p>
<p>Thanks for helping,</p>
<p>Jonathan Müller</p>
</div></div></div>
<br>_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br></blockquote></div><br></div>