Hi,

I'm having some strange issues using nginx 1.6 with ECC certs.
Handshakes fail for clients using TLSv1.2 and SNI but only if the
requested server block is not the default_server. The config looks like
this:

http {
ssl_certificate ecc.crt;
ssl_certificate_key ecc.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH+kEECDH+AESGCM:HIGH+kEECDH:HIGH+kEDH:HIGH:!aNULL;
ssl_prefer_server_ciphers on;
ssl_dhparam dhparam4096.pem;

server {
listen [::]:443 ssl spdy default_server ipv6only=off;
server_name a.example.com;
root /var/www/a;
}

server {
listen [::]:443 ssl spdy;
server_name b.example.com;
root /var/www/b;
}
}

This configuration works for:
- TLSv1.0/TLSv1.1 with SNI
- TLSv1.2 without SNI
- TLSv1.2 with SNI, but only for a.example.com


It does not for TLSv1.2 with SNI for b.example.com:

# openssl s_client -connect b.example.com:443 -servername b.example.com
....
139718860113552:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert
internal error:s3_pkt.c:1256:SSL alert number 80
139718860113552:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:177:
....

The error.log says:
[crit] 21172#0: *486 SSL_do_handshake() failed (SSL: error:1409B044:SSL
routines:SSL3_SEND_SERVER_KEY_EXCHANGE:internal error) while SSL
handshaking, client: ::ffff:XXX.XXX.XXX.XXX, server: [::]:443

Same result when using Firefox/NSS.



Everything works fine, if only the default_server uses the ECC cert:

http
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH+kEECDH+AESGCM:HIGH+kEECDH:HIGH+kEDH:HIGH:!aNULL;
ssl_prefer_server_ciphers on;
ssl_dhparam dhparam4096.pem;

server {
listen [::]:443 ssl spdy default_server ipv6only=off;
server_name a.example.com;
root /var/www/a;
ssl_certificate ecc.crt;
ssl_certificate_key ecc.key;
}

server {
listen [::]:443 ssl spdy;
server_name b.example.com;
root /var/www/b;
ssl_certificate rsa.crt;
ssl_certificate_key rsa.key;
}
}


Am I doing something wrong or is this a bug?

Regards,
Markus




nginx version: nginx/1.6.0
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Wformat-security
-Werror=format-security -D_FORTIFY_SOURCE=2'
--with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro'
--prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf
--http-log-path=/var/log/nginx/access.log
--error-log-path=/var/log/nginx/error.log
--lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid
--http-client-body-temp-path=/var/lib/nginx/body
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi
--http-proxy-temp-path=/var/lib/nginx/proxy
--http-scgi-temp-path=/var/lib/nginx/scgi
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit
--with-ipv6 --with-http_ssl_module --with-http_stub_status_module
--with-http_realip_module --with-http_auth_request_module
--with-http_addition_module --with-http_dav_module
--with-http_geoip_module --with-http_gzip_static_module
--with-http_image_filter_module --with-http_spdy_module
--with-http_sub_module --with-http_xslt_module --with-mail
--with-mail_ssl_module
--add-module=/build/buildd/nginx-1.6.0/debian/modules/nginx-auth-pam
--add-module=/build/buildd/nginx-1.6.0/debian/modules/nginx-dav-ext-module
--add-module=/build/buildd/nginx-1.6.0/debian/modules/nginx-echo
--add-module=/build/buildd/nginx-1.6.0/debian/modules/nginx-upstream-fair --add-module=/build/buildd/nginx-1.6.0/debian/modules/ngx_http_substitutions_filter_module

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx