On Thu, 3 Jul 2014, Ez Egy wrote:
> Since these two are using GCM:
>
> www.ssllabs.com: ECDHE-RSA-AES256-GCM-SHA384
> www.google.com: ECDHE-RSA-AES128-GCM-SHA256
>
> We wanted to make our webserver HTTPS connection more secure (don't look at
> the self-signed certificate, that doesn't count right now..)
>
> We are using an OpenBSD 5.4 64bit, and the "openssl ciphers" command says
> that it supports the "ECDHE-RSA-AES256-GCM-SHA384" cipher. On client side
> there is Firefox 30 at least.
>
> So here is how we setup the HTTPS server:
>
> # generate self signed certificate
> openssl genrsa -aes256 -out /etc/ssl/private/server.key 4096
> openssl req -new -key /etc/ssl/private/server.key -out
> /etc/ssl/private/server.csr
> openssl x509 -sha512 -req -days 365 -in /etc/ssl/private/server.csr
> -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt
>
> The config:
>
> vi /etc/nginx/nginx.conf
> ...
> ssl_protocols TLSv1.2;
> ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384;
> ssl_prefer_server_ciphers on;
> ...
>
> But Firefox says (I translated it from my language..):
>
> A connection to the www.foo.com is interrupted
>
> and ssllabs ( https://www.ssllabs.com/ssltest/ ) says:
>
> Assessment failed: Failed to communicate with the secure server
>
> Question: How can we set GCM in nginx? Why couldn't a fresh Firefox connect
> via HTTPS to foo.com (ECDHE-RSA-AES256-GCM-SHA384,TLSv1.2)? It can connect
> to www.ssllabs.com via HTTPS (ECDHE-RSA-AES256-GCM-SHA384,TLSv1.2) so maybe
> it's not a client side problem..
>
> [user@localhost ~] openssl s_client -connect www.foo.com:443
> CONNECTED(00000003)
> depth=0 C = HU, CN = www.foo.com
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 C = HU, CN = www.foo.com
> verify return:1
> ---
> Certificate chain
> 0 s:/C=HU/CN=www.foo.com
> i:/C=HU/CN=www.foo.com
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> .... here goes the cert..
> -----END CERTIFICATE-----
> subject=/C=HU/CN=www.foo.com
> issuer=/C=HU/CN=www.foo.com
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 2137 bytes and written 389 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
You've just proven that nginx is working with ECDHE-RSA-AES256-GCM-SHA384
(assuming that www.foo.com is actually your server).
> Server public key is 4096 bit
Compared to ssllabs:
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
I would suspect that your client (Firefox) issues are related to your server
certificate/public key, rather than the cipher.
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.2
--
"Action without study is fatal. Study without action is futile."
-- Mary Ritter Beard
