nginx + LibreSSL + ECDSA cert = Error

Scott Larson stl at wiredrive.com
Tue Mar 10 19:14:02 UTC 2015 

     I've been using ECDSA without issue on 1.7.10 with LibreSSL 2.1.4.
Method to generate the key was:

openssl ecparam -out ec_key.pem -name secp384r1 -genkey
openssl req -newkey ec:ec_key.pem -nodes -sha256 -keyout www.domain.tld.key
-new -out www.domain.tld.csr

     Then I'm declaring the DSA options in ssl_ciphers and defining
ssl_ecdh_curve:

 ssl_ciphers
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA;

ssl_ecdh_curve secp384r1;




*[image: userimage]Scott Larson[image: los angeles]
<https://www.google.com/maps/place/4216+Glencoe+Ave,+Marina+Del+Rey,+CA+90292/@33.9892151,-118.4421334,17z/data=!3m1!4b1!4m2!3m1!1s0x80c2ba88ffae914d:0x14e1d00084d4d09c>Lead
Systems Administrator[image: wdlogo] <https://www.wiredrive.com/> [image:
linkedin] <https://www.linkedin.com/company/wiredrive> [image: facebook]
<https://www.twitter.com/wiredrive> [image: twitter]
<https://www.facebook.com/wiredrive> [image: instagram]
<https://www.instagram.com/wiredrive>T 310 823 8238 x1106
<310%20823%208238%20x1106>  |  M 310 904 8818 <310%20904%208818>*

On Tue, Mar 10, 2015 at 3:25 AM, <TheGrandChamp at gmx.de> wrote:

> Hi,
>
>
>
> I compiled nginx 1.7.10 + LibreSSL 2.1.4, but am not able to use ECC
> certificates.
>
>
>
> nginx -V:
>
> nginx version: nginx/1.7.10
>
> built by gcc 4.7.2 (Debian 4.7.2-5)
>
> TLS SNI support enabled
>
> configure arguments:
> --with-openssl=/root/git/build_nginx/build/libressl-2.1.4
> --with-pcre=/root/git/build_nginx/build/pcre-8.36
> --add-module=/root/git/build_nginx/build/echo-nginx-module-0.57
> --with-ld-opt=-lrt --prefix=/usr/local/nginx
> --conf-path=/etc/nginx-libressl/nginx.conf --http-log-path=/var/log/nginx/access.log
> --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock
> --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body
> --http-fastcgi-temp-path=/var/lib/nginx/fastcgi
> --http-proxy-temp-path=/var/lib/nginx/proxy
> --http-scgi-temp-path=/var/lib/nginx/scgi
> --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit
> --with-ipv6 --with-http_ssl_module --with-http_stub_status_module
> --with-http_realip_module --with-http_auth_request_module --with-file-aio
> --with-http_spdy_module --with-http_addition_module --with-http_dav_module
> --with-http_geoip_module --with-http_gzip_static_module
> --with-http_image_filter_module --with-http_secure_link_module
> --with-http_sub_module --with-http_xslt_module
>
>
>
> Using this script:
> https://gist.github.com/leonklingele/a669803060fa92817f64
>
>
>
> nginx error log gives me these messages:
>
> 2015/03/09 17:00:11 [notice] 6484#0: signal process started
>
> 2015/03/09 17:00:15 [alert] 6486#0: *732628 ignoring stale global SSL
> error (SSL: error:14085042:SSL routines:SSL3_CTX_CTRL:called a function you
> should not call) while SSL handshaking, client: xxx.xxx.xxx.xxx, server:
> 0.0.0.0:443
>
> 2015/03/09 17:01:23 [notice] 6785#0: signal process started
>
> 2015/03/09 17:01:25 [alert] 6787#0: *733012 ignoring stale global SSL
> error (SSL: error:14085042:SSL routines:SSL3_CTX_CTRL:called a function you
> should not call) while SSL handshaking, client: xxx.xxx.xxx.xxx, server:
> 0.0.0.0:443
>
> 2015/03/09 17:05:27 [notice] 7479#0: signal process started
>
> 2015/03/09 17:05:35 [alert] 7481#0: *734270 ignoring stale global SSL
> error (SSL: error:14085042:SSL routines:SSL3_CTX_CTRL:called a function you
> should not call) while SSL handshaking, client: xxx.xxx.xxx.xxx, server:
> 0.0.0.0:443
>
>
>
> RSA certificates work perfectly fine.
>
> I generated the ECDSA CSR (for Comodo) using:
>
> $ openssl ecparam -out private.key -name secp384r1 -genkey
>
> $ openssl req -new -key private.key -nodes -out request.csr
>
>
>
> Is this issue related to nginx or LibreSSL?
>
>
>
> Also see: http://forum.nginx.org/read.php?2,256381,256381#msg-256381
>
>
>
>
>
> Thanks for helping,
>
> Jonathan Müller
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20150310/f6825f78/attachment.html>

More information about the nginx mailing list