ECC Certificates and SNI

Aleksandar Lazic al-nginx at none.at
Wed Aug 13 19:23:09 UTC 2014 

Hi.

today I have setuped a second SSL VHost with ECC.

Why is the default server able to offer TLS 1.2 but the second one not?


/usr/sbin/nginx -c /etc/nginx/nginx.conf -V
nginx version: nginx/1.7.4
built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
TLS SNI support enabled

from nginx.org.

Global ssl-setup:

egrep -v '^(#|$)' /home/nginx/installed/conf/ssl.conf

         add_header Strict-Transport-Security "max-age=2628000; 
includeSubDomains";
         ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
         ssl_session_cache   shared:SSL:10M;
         ssl_session_timeout 10m;
         ssl_prefer_server_ciphers on;
         ssl_dhparam /etc/ssl/dh_2048.pem;
         ssl_trusted_certificate 
/home/nginx/installed/conf/ssl_dir/certs/CACert_Certs.pem;
         ssl_stapling on;
############

The first VHost

listen       443 default_server ssl spdy;
listen  [::]:443 default_server ssl spdy;
server_name  xxxx;

Check on ssllabs.com

##################
Key 	EC 384 bits
Issuer		COMODO ECC Domain Validation Secure Server CA
Signature algorithm 	SHA256withECDSA
Extended Validation 	No
Revocation information 	CRL, OCSP
Revocation status 	Good (not revoked)
Trusted 	Yes


Protocols
---------
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3   No
SSL 2   No

Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and 
SSL 2 suites always at the end)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)   ECDH 256 bits (eq. 
3072 bits RSA)   FS		256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   ECDH 256 bits (eq. 
3072 bits RSA)   FS		128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)   ECDH 256 bits (eq. 
3072 bits RSA)   FS		256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)   ECDH 256 bits (eq. 
3072 bits RSA)   FS		128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   ECDH 256 bits (eq. 3072 
bits RSA)   FS		256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   ECDH 256 bits (eq. 3072 
bits RSA)   FS		128
#############

The second one
         listen       443 ssl spdy;
         listen  [::]:443 ssl spdy;
         server_name  xxx;

############
Key 	EC 384 bits
Issuer		COMODO ECC Domain Validation Secure Server CA
Signature algorithm 	SHA256withECDSA
Extended Validation 	No
Revocation information 	CRL, OCSP
Revocation status 	Good (not revoked)
Trusted 	Yes

Protocols
----------
TLS 1.2 No
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3   No
SSL 2   No

Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and 
SSL 2 suites always at the end)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   ECDH 256 bits (eq. 3072 
bits RSA)   FS		256
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)   ECDH 256 bits (eq. 3072 
bits RSA)   FS		112
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   ECDH 256 bits (eq. 3072 
bits RSA)   FS		128
#############

Firefox 31.0 on gentoo is not able to connect.
Chromium Version 37.0.2062.68 (287650) (64-bit) is able to connect but 
also only with TLS 1.1

Any Ideas what's wrong?

Thanks for help

Best regards
Aleks

More information about the nginx mailing list