I was running nginx 1.9.12 on Ubuntu 14.04 built from the source tarball
with these options: --with-ipv6 --with-http_ssl_module
While switching to a new server, I also wanted to switch to the nginx
Docker container using my existing nginx config.
First, I discovered an issue with missing ALPN support due to an old
OpenSSL version in Debian Jessie (see
https://github.com/nginxinc/docker-nginx/issues/76 ). Therefore, I
switched to the Alpine image and discovered another issue.
The issue seems to be related to the ssl_ecdh_curve setting. In my
config I set it to secp384r1. With this setting present clients won’t
connect. This is what curl outputs:
curl -vvvv -k “https://localhost”
- Rebuilt URL to: https://localhost/
- Trying ::1…
- connect to ::1 port 443 failed: Connection refused
- Trying 127.0.0.1…
- Connected to localhost (127.0.0.1) port 443 (#0)
- ALPN, offering h2
- ALPN, offering http/1.1
- Cipher selection:
- successfully set certificate verify locations:
- CAfile: /usr/local/etc/openssl/cert.pem
- TLSv1.2 (OUT), TLS header, Certificate Status (22):
- TLSv1.2 (OUT), TLS handshake, Client hello (1):
- TLSv1.2 (IN), TLS header, Unknown (21):
- TLSv1.2 (IN), TLS alert, Server hello (2):
- error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
- Closing connection 0
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure
When I remove ssl_ecdh_curve from my config or set it to auto (which is
the default) everything works fine.
To investigate this issue further I created a virtual machine running
Ubuntu 16.04 and installed the latest nginx from the official package
source: http://nginx.org/en/linux_packages.html I was able to reproduce
the exact same issue in this virtual machine.
Do you have an idea what’s going on here? Please let me know if you need
any additional information.