Hi Maxim! That’s what I thought. However, all clients can access the nginx server on the old Ubuntu 14.04 server, which uses the same config,
I tested the following clients on OS X 10.11.5, all failed to connect: curl, installed from Homebrew: curl 7.49.1 (x86_64-apple-darwin15.5.0) libcurl/7.49.1 OpenSSL/1.0.2h zlib/1.2.5 nghttp2/1.12.0 Safari 9.1.1 (11601.6.17) Chrome 51.0.2704.106 Firefox 47.0.1 That’s why I don’t think it is a client issue. Best, Florian > On 05 Jul 2016, at 15:20, Maxim Dounin <[email protected]> wrote: > > Hello! > > On Tue, Jul 05, 2016 at 02:00:04PM +0200, Florian Reinhart wrote: > >> Hi all, >> >> I was running nginx 1.9.12 on Ubuntu 14.04 built from the source tarball >> with these options: --with-ipv6 --with-http_ssl_module --with-http_v2_module >> --with-openssl=/openssl-1.0.2g >> >> While switching to a new server, I also wanted to switch to the nginx Docker >> container using my existing nginx config. >> >> First, I discovered an issue with missing ALPN support due to an old OpenSSL >> version in Debian Jessie (see >> https://github.com/nginxinc/docker-nginx/issues/76 ). Therefore, I switched >> to the Alpine image and discovered another issue. >> >> The issue seems to be related to the ssl_ecdh_curve setting. In my config I >> set it to secp384r1. With this setting present clients won’t connect. This >> is what curl outputs: >> >> curl -vvvv -k "https://localhost"; >> * Rebuilt URL to: https://localhost/ >> * Trying ::1... >> * connect to ::1 port 443 failed: Connection refused >> * Trying 127.0.0.1... >> * Connected to localhost (127.0.0.1) port 443 (#0) >> * ALPN, offering h2 >> * ALPN, offering http/1.1 >> * Cipher selection: >> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH >> * successfully set certificate verify locations: >> * CAfile: /usr/local/etc/openssl/cert.pem >> CApath: none >> * TLSv1.2 (OUT), TLS header, Certificate Status (22): >> * TLSv1.2 (OUT), TLS handshake, Client hello (1): >> * TLSv1.2 (IN), TLS header, Unknown (21): >> * TLSv1.2 (IN), TLS alert, Server hello (2): >> * error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake >> failure >> * Closing connection 0 >> curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert >> handshake failure >> >> >> When I remove ssl_ecdh_curve from my config or set it to auto (which is the >> default) everything works fine. >> >> To investigate this issue further I created a virtual machine running Ubuntu >> 16.04 and installed the latest nginx from the official package source: >> http://nginx.org/en/linux_packages.html I was able to reproduce the exact >> same issue in this virtual machine. >> >> Do you have an idea what’s going on here? Please let me know if you need any >> additional information. > > It looks like the client doesn't support the curve you've > configured, and non-ECDH ciphers are disabled. > > -- > Maxim Dounin > http://nginx.org/ <http://nginx.org/> > > _______________________________________________ > nginx mailing list > [email protected] <mailto:[email protected]> > http://mailman.nginx.org/mailman/listinfo/nginx > <http://mailman.nginx.org/mailman/listinfo/nginx>
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
