ECC Certificates and SNI

Aleksandar Lazic al-nginx at none.at
Sun Aug 31 15:23:38 UTC 2014 

 

Dear B. R. 

It looks like this is a firefox isssue. 

With chomium 38 and curl and s_client I was able to connect. 

##########
openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Thu Aug 7 13:42:02 UTC 2014
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2
-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security
-Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions
-Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT
-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
-DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM

/usr/sbin/nginx -c /etc/nginx/nginx.conf -V
nginx version: nginx/1.7.4
built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) 
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
--conf-path=/etc/nginx/nginx.conf
--error-log-path=/var/log/nginx/error.log
--http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid
--lock-path=/var/run/nginx.lock
--http-client-body-temp-path=/var/cache/nginx/client_temp
--http-proxy-temp-path=/var/cache/nginx/proxy_temp
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
--http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx
--group=nginx --with-http_ssl_module --with-http_realip_module
--with-http_addition_module --with-http_sub_module
--with-http_dav_module --with-http_flv_module --with-http_mp4_module
--with-http_gunzip_module --with-http_gzip_static_module
--with-http_random_index_module --with-http_secure_link_module
--with-http_stub_status_module --with-http_auth_request_module
--with-mail --with-mail_ssl_module --with-file-aio
--with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Wformat-security
-Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions
-Wl,-z,relro -Wl,--as-needed' --with-ipv6

ldd /usr/sbin/nginx
 linux-vdso.so.1 => (0x00007fff54dfe000)
 libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007fdac5938000)
 libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1
(0x00007fdac56ff000)
 libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fdac54c1000)
 libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x00007fdac5263000)
 libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
(0x00007fdac4e88000)
 libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fdac4c70000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fdac48b1000)
 /lib64/ld-linux-x86-64.so.2 (0x00007fdac5b63000)
 libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fdac46ad000)

ldd $(which openssl)
 linux-vdso.so.1 => (0x00007fffdddfe000)
 libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x00007fbd557c6000)
 libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
(0x00007fbd553eb000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fbd5502b000)
 libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fbd54e27000)
 libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fbd54c10000)
 /lib64/ld-linux-x86-64.so.2 (0x00007fbd55a32000) 

######### 

cheers a l 

Am 16-08-2014 11:53, schrieb B.R.: 

> Hello,
> 
> The error comes from OpenSSL. 
> 
> From its name, I wouldsay the constant being check is one that OpenSSL sets during handshake. 
> From its name too, I wouls say this applies to a SSLv3 handshake. OpenSSL has a corresponding TLSv1 constant named DTLS1_SEND_SERVER_KEY_EXCHANGE. 
> Seems like a bug, possibly related to the (non widespread) use of ECC certificates. 
> 
> Before really calling out for a bug: you say SSLv3 is disabled. Please be really sure of that.
> 
> Check the OpenSSL library your nginx has been linked against. I suggest you update that package on your system and retry. 
> Try balance between sufficiently up-to-date version and avoinding versions with well-known vulnerabilities.
> 
> Hope I helped, 
> 
> ---
> B. R. 
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx [1]
 

Links:
------
[1] http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20140831/62bdfe48/attachment.html>

More information about the nginx mailing list