Hi,
I have Nginx running for many OpenBSD relesase, with TLS enabled (Let's
Encrypt certificates). I upgraded recently to:
OpenBSD 6.6-current (GENERIC.MP) #626: Thu Jan 30 19:26:22 MST 2020
deraadt@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
and recent package snapshot:
# awk '/digital-signature/ {print $NF}' /var/db/pkg/quirks-3.223/+CONTENTS
signify2:2020-01-30T18:08:23Z:external
I see problem with Chrome and Firefox on Windows and on OpenBSD.
Firefox returns SSL_ERROR_DECODE_ERROR_ALERT and Chrome returns
ERR_SSL_PROTOCOL_ERROR.
Is it known problem? I don't see this issue with httpd(8) and similar
setup.
Example domain which you can have a look at is https://ports.to/ or
https://www.secure.io/
Snippet from nginx.conf:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name ports.to www.ports.to;
root /data/www/ports-readmes;
gzip off;
ssl_certificate /etc/ssl/ports.to-full.crt;
ssl_certificate_key /etc/ssl/private/ports.to.key;
ssl_dhparam /etc/ssl/dh4096.pem;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH@STRENGTH:!aNULL:!eNULL;
ssl_prefer_server_ciphers on;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name secure.io www.secure.io;
root /data/www/default;
gzip off;
ssl_certificate /etc/ssl/nginx.crt;
ssl_certificate_key /etc/ssl/private/server.key;
ssl_dhparam /etc/ssl/dh4096.pem;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE+AEAD+HIGH@STRENGTH:!aNULL:!eNULL:!AES128,DHE+AEAD+HIGH@STRENGTH:!aNULL:!eNULL:!AES128;
ssl_prefer_server_ciphers on;
...
}
--
Regards,
Mikolaj
No comments:
Post a Comment