Setting ssl_ecdh_curve to secp384r1 does not work

Tue, 05 Jul 2016 05:01:05 -0700 

Hi all,

I was running nginx 1.9.12 on Ubuntu 14.04 built from the source tarball with 
these options: --with-ipv6 --with-http_ssl_module --with-http_v2_module 
--with-openssl=/openssl-1.0.2g

While switching to a new server, I also wanted to switch to the nginx Docker 
container using my existing nginx config.

First, I discovered an issue with missing ALPN support due to an old OpenSSL 
version in Debian Jessie (see 
https://github.com/nginxinc/docker-nginx/issues/76 ). Therefore, I switched to 
the Alpine image and discovered another issue.

The issue seems to be related to the ssl_ecdh_curve setting. In my config I set 
it to secp384r1. With this setting present clients won’t connect. This is what 
curl outputs:

curl -vvvv -k  "https://localhost";
* Rebuilt URL to: https://localhost/
*   Trying ::1...
* connect to ::1 port 443 failed: Connection refused
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/etc/openssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Unknown (21):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
failure
* Closing connection 0
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert 
handshake failure


When I remove ssl_ecdh_curve from my config or set it to auto (which is the 
default) everything works fine.

To investigate this issue further I created a virtual machine running Ubuntu 
16.04 and installed the latest nginx from the official package source: 
http://nginx.org/en/linux_packages.html I was able to reproduce the exact same 
issue in this virtual machine.

Do you have an idea what’s going on here? Please let me know if you need any 
additional information.

Thanks!
Florian
_______________________________________________
nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx

Reply via email to