Re: Setting ssl_ecdh_curve to secp384r1 does not work

Tue, 05 Jul 2016 06:21:13 -0700 

Hello!

On Tue, Jul 05, 2016 at 02:00:04PM +0200, Florian Reinhart wrote:

> Hi all,
> 
> I was running nginx 1.9.12 on Ubuntu 14.04 built from the source tarball with 
> these options: --with-ipv6 --with-http_ssl_module --with-http_v2_module 
> --with-openssl=/openssl-1.0.2g
> 
> While switching to a new server, I also wanted to switch to the nginx Docker 
> container using my existing nginx config.
> 
> First, I discovered an issue with missing ALPN support due to an old OpenSSL 
> version in Debian Jessie (see 
> https://github.com/nginxinc/docker-nginx/issues/76 ). Therefore, I switched 
> to the Alpine image and discovered another issue.
> 
> The issue seems to be related to the ssl_ecdh_curve setting. In my config I 
> set it to secp384r1. With this setting present clients won’t connect. This is 
> what curl outputs:
> 
> curl -vvvv -k  "https://localhost";
> * Rebuilt URL to: https://localhost/
> *   Trying ::1...
> * connect to ::1 port 443 failed: Connection refused
> *   Trying 127.0.0.1...
> * Connected to localhost (127.0.0.1) port 443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> * successfully set certificate verify locations:
> *   CAfile: /usr/local/etc/openssl/cert.pem
>   CApath: none
> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> * TLSv1.2 (IN), TLS header, Unknown (21):
> * TLSv1.2 (IN), TLS alert, Server hello (2):
> * error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
> failure
> * Closing connection 0
> curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert 
> handshake failure
> 
> 
> When I remove ssl_ecdh_curve from my config or set it to auto (which is the 
> default) everything works fine.
> 
> To investigate this issue further I created a virtual machine running Ubuntu 
> 16.04 and installed the latest nginx from the official package source: 
> http://nginx.org/en/linux_packages.html I was able to reproduce the exact 
> same issue in this virtual machine.
> 
> Do you have an idea what’s going on here? Please let me know if you need any 
> additional information.

It looks like the client doesn't support the curve you've 
configured, and non-ECDH ciphers are disabled.

-- 
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx

Reply via email to