ECC Certificates and SNI

Aleksandar Lazic al-nginx at none.at
Wed Aug 13 19:31:29 UTC 2014


This is the output of the debug log.

######################
2014/08/13 21:29:46 [debug] 915#0: *1 SSL certificate status callback
2014/08/13 21:29:46 [debug] 915#0: *1 SSL NPN advertised
2014/08/13 21:29:46 [debug] 915#0: *1 SSL_do_handshake: -1
2014/08/13 21:29:46 [debug] 915#0: *1 SSL_get_error: 1
2014/08/13 21:29:46 [crit] 915#0: *1 SSL_do_handshake() failed (SSL: 
error:1409B044:SSL routines:SSL3_SEND_SERVER_KEY_EXCHANGE:internal 
error) while SSL handshaking, client: <MY_CLIENT>, server: 0.0.0.0:443
2014/08/13 21:29:46 [debug] 915#0: *1 close http connection: 81
2014/08/13 21:29:46 [debug] 915#0: *1 SSL_shutdown: 1
2014/08/13 21:29:46 [debug] 915#0: *1 event timer del: 81: 1407958246379
2014/08/13 21:29:46 [debug] 915#0: *1 reusable connection: 0
2014/08/13 21:29:46 [debug] 915#0: *1 free: 0000000000D9CB60, unused: 0
2014/08/13 21:29:46 [debug] 915#0: *1 free: 0000000000EBDEC0, unused: 
104
######################


Am 13-08-2014 21:23, schrieb Aleksandar Lazic:
> Hi.
> 
> today I have setuped a second SSL VHost with ECC.
> 
> Why is the default server able to offer TLS 1.2 but the second one not?
> 
> 
> /usr/sbin/nginx -c /etc/nginx/nginx.conf -V
> nginx version: nginx/1.7.4
> built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
> TLS SNI support enabled
> 
> from nginx.org.
> 
> Global ssl-setup:
> 
> egrep -v '^(#|$)' /home/nginx/installed/conf/ssl.conf
> 
>         add_header Strict-Transport-Security "max-age=2628000;
> includeSubDomains";
>         ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
>         ssl_session_cache   shared:SSL:10M;
>         ssl_session_timeout 10m;
>         ssl_prefer_server_ciphers on;
>         ssl_dhparam /etc/ssl/dh_2048.pem;
>         ssl_trusted_certificate
> /home/nginx/installed/conf/ssl_dir/certs/CACert_Certs.pem;
>         ssl_stapling on;
> ############
> 
> The first VHost
> 
> listen       443 default_server ssl spdy;
> listen  [::]:443 default_server ssl spdy;
> server_name  xxxx;
> 
> Check on ssllabs.com
> 
> ##################
> Key 	EC 384 bits
> Issuer		COMODO ECC Domain Validation Secure Server CA
> Signature algorithm 	SHA256withECDSA
> Extended Validation 	No
> Revocation information 	CRL, OCSP
> Revocation status 	Good (not revoked)
> Trusted 	Yes
> 
> 
> Protocols
> ---------
> TLS 1.2 Yes
> TLS 1.1 Yes
> TLS 1.0 Yes
> SSL 3   No
> SSL 2   No
> 
> Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and
> SSL 2 suites always at the end)
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)   ECDH 256 bits (eq.
> 3072 bits RSA)   FS		256
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   ECDH 256 bits (eq.
> 3072 bits RSA)   FS		128
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)   ECDH 256 bits (eq.
> 3072 bits RSA)   FS		256
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)   ECDH 256 bits (eq.
> 3072 bits RSA)   FS		128
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   ECDH 256 bits (eq.
> 3072 bits RSA)   FS		256
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   ECDH 256 bits (eq.
> 3072 bits RSA)   FS		128
> #############
> 
> The second one
>         listen       443 ssl spdy;
>         listen  [::]:443 ssl spdy;
>         server_name  xxx;
> 
> ############
> Key 	EC 384 bits
> Issuer		COMODO ECC Domain Validation Secure Server CA
> Signature algorithm 	SHA256withECDSA
> Extended Validation 	No
> Revocation information 	CRL, OCSP
> Revocation status 	Good (not revoked)
> Trusted 	Yes
> 
> Protocols
> ----------
> TLS 1.2 No
> TLS 1.1 Yes
> TLS 1.0 Yes
> SSL 3   No
> SSL 2   No
> 
> Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and
> SSL 2 suites always at the end)
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   ECDH 256 bits (eq.
> 3072 bits RSA)   FS		256
> TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)   ECDH 256 bits (eq.
> 3072 bits RSA)   FS		112
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   ECDH 256 bits (eq.
> 3072 bits RSA)   FS		128
> #############
> 
> Firefox 31.0 on gentoo is not able to connect.
> Chromium Version 37.0.2062.68 (287650) (64-bit) is able to connect but
> also only with TLS 1.1
> 
> Any Ideas what's wrong?
> 
> Thanks for help
> 
> Best regards
> Aleks
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx



More information about the nginx mailing list