Forum: NGINX ECC Certificates and SNI

7a7c51366e39603df74feef200a3a1c1?d=identicon&s=25 Aleksandar Lazic (Guest)
on 2014-08-13 21:23
(Received via mailing list)
Hi.

today I have setuped a second SSL VHost with ECC.

Why is the default server able to offer TLS 1.2 but the second one not?


/usr/sbin/nginx -c /etc/nginx/nginx.conf -V
nginx version: nginx/1.7.4
built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
TLS SNI support enabled

from nginx.org.

Global ssl-setup:

egrep -v '^(#|$)' /home/nginx/installed/conf/ssl.conf

         add_header Strict-Transport-Security "max-age=2628000;
includeSubDomains";
         ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
         ssl_session_cache   shared:SSL:10M;
         ssl_session_timeout 10m;
         ssl_prefer_server_ciphers on;
         ssl_dhparam /etc/ssl/dh_2048.pem;
         ssl_trusted_certificate
/home/nginx/installed/conf/ssl_dir/certs/CACert_Certs.pem;
         ssl_stapling on;
############

The first VHost

listen       443 default_server ssl spdy;
listen  [::]:443 default_server ssl spdy;
server_name  xxxx;

Check on ssllabs.com

##################
Key   EC 384 bits
Issuer    COMODO ECC Domain Validation Secure Server CA
Signature algorithm   SHA256withECDSA
Extended Validation   No
Revocation information   CRL, OCSP
Revocation status   Good (not revoked)
Trusted   Yes


Protocols
---------
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3   No
SSL 2   No

Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and
SSL 2 suites always at the end)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)   ECDH 256 bits (eq.
3072 bits RSA)   FS    256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   ECDH 256 bits (eq.
3072 bits RSA)   FS    128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)   ECDH 256 bits (eq.
3072 bits RSA)   FS    256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)   ECDH 256 bits (eq.
3072 bits RSA)   FS    128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   ECDH 256 bits (eq. 3072
bits RSA)   FS    256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   ECDH 256 bits (eq. 3072
bits RSA)   FS    128
#############

The second one
         listen       443 ssl spdy;
         listen  [::]:443 ssl spdy;
         server_name  xxx;

############
Key   EC 384 bits
Issuer    COMODO ECC Domain Validation Secure Server CA
Signature algorithm   SHA256withECDSA
Extended Validation   No
Revocation information   CRL, OCSP
Revocation status   Good (not revoked)
Trusted   Yes

Protocols
----------
TLS 1.2 No
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3   No
SSL 2   No

Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and
SSL 2 suites always at the end)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   ECDH 256 bits (eq. 3072
bits RSA)   FS    256
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)   ECDH 256 bits (eq. 3072
bits RSA)   FS    112
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   ECDH 256 bits (eq. 3072
bits RSA)   FS    128
#############

Firefox 31.0 on gentoo is not able to connect.
Chromium Version 37.0.2062.68 (287650) (64-bit) is able to connect but
also only with TLS 1.1

Any Ideas what's wrong?

Thanks for help

Best regards
Aleks
7a7c51366e39603df74feef200a3a1c1?d=identicon&s=25 Aleksandar Lazic (Guest)
on 2014-08-13 21:32
(Received via mailing list)
This is the output of the debug log.

######################
2014/08/13 21:29:46 [debug] 915#0: *1 SSL certificate status callback
2014/08/13 21:29:46 [debug] 915#0: *1 SSL NPN advertised
2014/08/13 21:29:46 [debug] 915#0: *1 SSL_do_handshake: -1
2014/08/13 21:29:46 [debug] 915#0: *1 SSL_get_error: 1
2014/08/13 21:29:46 [crit] 915#0: *1 SSL_do_handshake() failed (SSL:
error:1409B044:SSL routines:SSL3_SEND_SERVER_KEY_EXCHANGE:internal
error) while SSL handshaking, client: <MY_CLIENT>, server: 0.0.0.0:443
2014/08/13 21:29:46 [debug] 915#0: *1 close http connection: 81
2014/08/13 21:29:46 [debug] 915#0: *1 SSL_shutdown: 1
2014/08/13 21:29:46 [debug] 915#0: *1 event timer del: 81: 1407958246379
2014/08/13 21:29:46 [debug] 915#0: *1 reusable connection: 0
2014/08/13 21:29:46 [debug] 915#0: *1 free: 0000000000D9CB60, unused: 0
2014/08/13 21:29:46 [debug] 915#0: *1 free: 0000000000EBDEC0, unused:
104
######################


Am 13-08-2014 21:23, schrieb Aleksandar Lazic:
1266aa99d1601b47bbd3ec22affbb81c?d=identicon&s=25 B.R. (Guest)
on 2014-08-16 11:54
(Received via mailing list)
Hello,

The error comes from OpenSSL.

From its name, I wouldsay the constant being check is one that OpenSSL
sets
during handshake.
From its name too, I wouls say this applies to a SSLv3 handshake.
OpenSSL
has a corresponding TLSv1 constant named DTLS1_SEND_SERVER_KEY_EXCHANGE.
Seems like a bug, possibly related to the (non widespread) use of ECC
certificates.

Before really calling out for a bug: you say SSLv3 is disabled. Please
be
really sure of that.

Check the OpenSSL library your nginx has been linked against. I suggest
you
update that package on your system and retry.
Try balance between sufficiently up-to-date version and avoinding
versions
with well-known vulnerabilities.

Hope I helped,
---
*B. R.*
7a7c51366e39603df74feef200a3a1c1?d=identicon&s=25 Aleksandar Lazic (Guest)
on 2014-08-31 17:24
(Received via mailing list)
Dear B. R.

It looks like this is a firefox isssue.

With chomium 38 and curl and s_client I was able to connect.

##########
openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Thu Aug 7 13:42:02 UTC 2014
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2
-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security
-Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions
-Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT
-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
-DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM

/usr/sbin/nginx -c /etc/nginx/nginx.conf -V
nginx version: nginx/1.7.4
built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
--conf-path=/etc/nginx/nginx.conf
--error-log-path=/var/log/nginx/error.log
--http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid
--lock-path=/var/run/nginx.lock
--http-client-body-temp-path=/var/cache/nginx/client_temp
--http-proxy-temp-path=/var/cache/nginx/proxy_temp
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
--http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx
--group=nginx --with-http_ssl_module --with-http_realip_module
--with-http_addition_module --with-http_sub_module
--with-http_dav_module --with-http_flv_module --with-http_mp4_module
--with-http_gunzip_module --with-http_gzip_static_module
--with-http_random_index_module --with-http_secure_link_module
--with-http_stub_status_module --with-http_auth_request_module
--with-mail --with-mail_ssl_module --with-file-aio
--with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Wformat-security
-Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions
-Wl,-z,relro -Wl,--as-needed' --with-ipv6

ldd /usr/sbin/nginx
 linux-vdso.so.1 => (0x00007fff54dfe000)
 libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007fdac5938000)
 libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1
(0x00007fdac56ff000)
 libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fdac54c1000)
 libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x00007fdac5263000)
 libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
(0x00007fdac4e88000)
 libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fdac4c70000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fdac48b1000)
 /lib64/ld-linux-x86-64.so.2 (0x00007fdac5b63000)
 libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fdac46ad000)

ldd $(which openssl)
 linux-vdso.so.1 => (0x00007fffdddfe000)
 libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x00007fbd557c6000)
 libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
(0x00007fbd553eb000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fbd5502b000)
 libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fbd54e27000)
 libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fbd54c10000)
 /lib64/ld-linux-x86-64.so.2 (0x00007fbd55a32000)

#########

cheers a l

Am 16-08-2014 11:53, schrieb B.R.:

> Check the OpenSSL library your nginx has been linked against. I suggest you
update that package on your system and retry.
> http://mailman.nginx.org/mailman/listinfo/nginx [1]
Links:
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.