I was running nginx 1.9.12 on Ubuntu 14.04 built from the source tarball
with these options: --with-ipv6 --with-http_ssl_module
–with-http_v2_module --with-openssl=/openssl-1.0.2g
While switching to a new server, I also wanted to switch to the nginx
Docker container using my existing nginx config.
The issue seems to be related to the ssl_ecdh_curve setting. In my
config I set it to secp384r1. With this setting present clients won’t
connect. This is what curl outputs:
When I remove ssl_ecdh_curve from my config or set it to auto (which is
the default) everything works fine.
To investigate this issue further I created a virtual machine running
Ubuntu 16.04 and installed the latest nginx from the official package
source: nginx: Linux packages I was able to reproduce
the exact same issue in this virtual machine.
Do you have an idea what’s going on here? Please let me know if you need
any additional information.
To investigate this issue further I created a virtual machine running Ubuntu
16.04 and installed the latest nginx from the official package source: nginx: Linux packages I was able to reproduce the exact same
issue in this virtual machine.
Do you have an idea what’s going on here? Please let me know if you need any
additional information.
It looks like the client doesn’t support the curve you’ve
configured, and non-ECDH ciphers are disabled.
On Tue, Jul 05, 2016 at 04:02:21PM +0200, Florian Reinhart wrote:
That’s why I don’t think it is a client issue.
Yes, at least browsers are expected to support secp384r1, so it’s
probably something different.
Which certificate do you use? Is it the same as on the old
server? Such a situation can easily happen if the only
certificate available is ECDSA one and uses, e.g., prime256v1 (not
secp384r1), but only secp384r1 is enabled by the configuration.
Looking into nginx error logs might also somewhat help to diagnose
what goes on here.
It is the same certificate on both servers and it is indeed a secp256r1
aka prime256v1 certificate. So does this mean, I have to use prime256v1
for ssl_ecdh_curve with this certificate? It’s still strange that it
used to work before…
Here is what the error log says:
2016/07/05 16:57:09 [info] 2525#2525: *115 SSL_do_handshake() failed
(SSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared
cipher) while SSL handshaking, client: 192.168.241.1, server:
0.0.0.0:443
On Tue, Jul 05, 2016 at 05:02:07PM +0200, Florian Reinhart wrote:
It is the same certificate on both servers and it is indeed a
secp256r1 aka prime256v1 certificate. So does this mean, I have
to use prime256v1 for ssl_ecdh_curve with this certificate? It’s
still strange that it used to work before…
Since version 1.11.0 nginx uses the new SSL_CTX_set1_curves_list()
interface if available to configure supported curves, instead of
previously used EC_KEY_new_by_curve_name()/SSL_CTX_set_tmp_ecdh().
This new interface is generally better as it allows configuring
multiple curves.
I’ve just tested, and it looks like this new interface is also
more strict. With previous interface it was possible to use any
certificate regardless of the ssl_ecdh_curve setting, and that’s
why it worked for you in older versions. The new interface does
not allow to use curves which are not listed at all, including
certificates using these curves.
Solution would be to list all curves you want to use, including
curves used by certificates, e.g.:
ssl_ecdh_curve secp384r1:prime256v1;
Or, better yet, just leave the default (“auto”), it will allow
most common curves as supported by OpenSSL.
On Wed, Jul 06, 2016 at 09:15:59AM +0200, Florian Reinhart wrote:
Is there any way to know what curves “auto” will include on my
system?
This is not currently possible, AFAIK, and depends on the OpenSSL
library used. Here is a short summary for varions OpenSSL version
I’ve previously looked into:
OpenSSL 1.0.2, 1.0.2a: all curves supported, strongest first.
Full list is available via “openssl ecparam -list_curves”.
OpenSSL 1.0.2b … 1.0.2h: limited default list with at least
256 bits, prime256v1 (aka P-256) first. List in OpenSSL 1.0.2g
is as follows: