This is the output of the debug log.
######################
2014/08/13 21:29:46 [debug] 915#0: *1 SSL certificate status callback
2014/08/13 21:29:46 [debug] 915#0: *1 SSL NPN advertised
2014/08/13 21:29:46 [debug] 915#0: *1 SSL_do_handshake: -1
2014/08/13 21:29:46 [debug] 915#0: *1 SSL_get_error: 1
2014/08/13 21:29:46 [crit] 915#0: *1 SSL_do_handshake() failed (SSL:
error:1409B044:SSL routines:SSL3_SEND_SERVER_KEY_EXCHANGE:internal
error) while SSL handshaking, client: <MY_CLIENT>, server: 0.0.0.0:443
2014/08/13 21:29:46 [debug] 915#0: *1 close http connection: 81
2014/08/13 21:29:46 [debug] 915#0: *1 SSL_shutdown: 1
2014/08/13 21:29:46 [debug] 915#0: *1 event timer del: 81: 1407958246379
2014/08/13 21:29:46 [debug] 915#0: *1 reusable connection: 0
2014/08/13 21:29:46 [debug] 915#0: *1 free: 0000000000D9CB60, unused: 0
2014/08/13 21:29:46 [debug] 915#0: *1 free: 0000000000EBDEC0, unused:
104
######################
Am 13-08-2014 21:23, schrieb Aleksandar Lazic:
Hi.
today I have setuped a second SSL VHost with ECC.
Why is the default server able to offer TLS 1.2 but the second one not?
/usr/sbin/nginx -c /etc/nginx/nginx.conf -V
nginx version: nginx/1.7.4
built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
TLS SNI support enabled
from nginx.org.
Global ssl-setup:
egrep -v '^(#|$)' /home/nginx/installed/conf/ssl.conf
add_header Strict-Transport-Security "max-age=2628000;
includeSubDomains";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10M;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dh_2048.pem;
ssl_trusted_certificate
/home/nginx/installed/conf/ssl_dir/certs/CACert_Certs.pem;
ssl_stapling on;
############
The first VHost
listen 443 default_server ssl spdy;
listen [::]:443 default_server ssl spdy;
server_name xxxx;
Check on ssllabs.com
##################
Key EC 384 bits
Issuer COMODO ECC Domain Validation Secure Server CA
Signature algorithm SHA256withECDSA
Extended Validation No
Revocation information CRL, OCSP
Revocation status Good (not revoked)
Trusted Yes
Protocols
---------
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No
Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and
SSL 2 suites always at the end)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) ECDH 256 bits (eq.
3072 bits RSA) FS 256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) ECDH 256 bits (eq.
3072 bits RSA) FS 128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) ECDH 256 bits (eq.
3072 bits RSA) FS 256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) ECDH 256 bits (eq.
3072 bits RSA) FS 128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) ECDH 256 bits (eq.
3072 bits RSA) FS 256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) ECDH 256 bits (eq.
3072 bits RSA) FS 128
#############
The second one
listen 443 ssl spdy;
listen [::]:443 ssl spdy;
server_name xxx;
############
Key EC 384 bits
Issuer COMODO ECC Domain Validation Secure Server CA
Signature algorithm SHA256withECDSA
Extended Validation No
Revocation information CRL, OCSP
Revocation status Good (not revoked)
Trusted Yes
Protocols
----------
TLS 1.2 No
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No
Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and
SSL 2 suites always at the end)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) ECDH 256 bits (eq.
3072 bits RSA) FS 256
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) ECDH 256 bits (eq.
3072 bits RSA) FS 112
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) ECDH 256 bits (eq.
3072 bits RSA) FS 128
#############
Firefox 31.0 on gentoo is not able to connect.
Chromium Version 37.0.2062.68 (287650) (64-bit) is able to connect but
also only with TLS 1.1
Any Ideas what's wrong?
Thanks for help
Best regards
Aleks
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
