Hi Maxim! Thanks for investigating this! I thought ssl_ecdh_curve was only used to specific curves for ECDHE.
Is there any way to know what curves "auto" will include on my system? —Florian > On 05 Jul 2016, at 20:16, Maxim Dounin <[email protected]> wrote: > > Hello! > > On Tue, Jul 05, 2016 at 05:02:07PM +0200, Florian Reinhart wrote: > >> It is the same certificate on both servers and it is indeed a >> secp256r1 aka prime256v1 certificate. So does this mean, I have >> to use prime256v1 for ssl_ecdh_curve with this certificate? It’s >> still strange that it used to work before... > > Since version 1.11.0 nginx uses the new SSL_CTX_set1_curves_list() > interface if available to configure supported curves, instead of > previously used EC_KEY_new_by_curve_name()/SSL_CTX_set_tmp_ecdh(). > This new interface is generally better as it allows configuring > multiple curves. > > I've just tested, and it looks like this new interface is also > more strict. With previous interface it was possible to use any > certificate regardless of the ssl_ecdh_curve setting, and that's > why it worked for you in older versions. The new interface does > not allow to use curves which are not listed at all, including > certificates using these curves. > > Solution would be to list all curves you want to use, including > curves used by certificates, e.g.: > > ssl_ecdh_curve secp384r1:prime256v1; > > Or, better yet, just leave the default ("auto"), it will allow > most common curves as supported by OpenSSL. > > -- > Maxim Dounin > http://nginx.org/ > > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
