Hi.
today I have setuped a second SSL VHost with ECC.
Why is the default server able to offer TLS 1.2 but the second one not?
/usr/sbin/nginx -c /etc/nginx/nginx.conf -V
nginx version: nginx/1.7.4
built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
TLS SNI support enabled
from nginx.org.
Global ssl-setup:
egrep -v ‘^(#|$)’ /home/nginx/installed/conf/ssl.conf
add_header Strict-Transport-Security "max-age=2628000;
includeSubDomains";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10M;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dh_2048.pem;
ssl_trusted_certificate
/home/nginx/installed/conf/ssl_dir/certs/CACert_Certs.pem;
ssl_stapling on;
############
The first VHost
listen 443 default_server ssl spdy;
listen [::]:443 default_server ssl spdy;
server_name xxxx;
Check on ssllabs.com
##################
Key EC 384 bits
Issuer COMODO ECC Domain Validation Secure Server CA
Signature algorithm SHA256withECDSA
Extended Validation No
Revocation information CRL, OCSP
Revocation status Good (not revoked)
Trusted Yes
Protocols
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No
Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and
SSL 2 suites always at the end)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) ECDH 256 bits (eq.
3072 bits RSA) FS 256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) ECDH 256 bits (eq.
3072 bits RSA) FS 128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) ECDH 256 bits (eq.
3072 bits RSA) FS 256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) ECDH 256 bits (eq.
3072 bits RSA) FS 128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) ECDH 256 bits (eq. 3072
bits RSA) FS 256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) ECDH 256 bits (eq. 3072
bits RSA) FS 128
#############
The second one
listen 443 ssl spdy;
listen [::]:443 ssl spdy;
server_name xxx;
############
Key EC 384 bits
Issuer COMODO ECC Domain Validation Secure Server CA
Signature algorithm SHA256withECDSA
Extended Validation No
Revocation information CRL, OCSP
Revocation status Good (not revoked)
Trusted Yes
Protocols
TLS 1.2 No
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No
Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and
SSL 2 suites always at the end)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) ECDH 256 bits (eq. 3072
bits RSA) FS 256
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) ECDH 256 bits (eq. 3072
bits RSA) FS 112
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) ECDH 256 bits (eq. 3072
bits RSA) FS 128
#############
Firefox 31.0 on gentoo is not able to connect.
Chromium Version 37.0.2062.68 (287650) (64-bit) is able to connect but
also only with TLS 1.1
Any Ideas what’s wrong?
Thanks for help
Best regards
Aleks