Join the community today
Become a Member

SSL Nginx 1.11.0 introduces dual ECDSA + RSA SSL certificate support !

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, May 25, 2016.

  1. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    8:57 PM
    Mainline
    10.2
    Thanks, I got it now.

     
  2. eva2000

    eva2000 Administrator Staff Member

    54,564
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    10:57 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    doesn't matter much as that is just server preferred order but client forces Nginx to fall back to serving with P-256 in either case as you can see in SSLLab listing of clients/browsers (with exception on my site for Firefox 53/Win)

    Your site's Server Temp Key
    Code (Text):
    echo n | openssl s_client -debug -connect phcorner.net:443 2>&1 | grep -A12 'Server Temp Key:'
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 3361 bytes and written 415 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
    Server public key is 256 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
    

    my site
    Code (Text):
    echo n | openssl s_client -debug -connect http2.centminmod.com:443 2>&1 | grep -A12 'Server Temp Key:'               
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 2779 bytes and written 415 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
    Server public key is 256 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
    
     
  3. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    8:57 PM
    Mainline
    10.2
  4. eva2000

    eva2000 Administrator Staff Member

    54,564
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    10:57 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    All Centmin Mod Nginx vhosts with HTTP/2 HTTPS auto generate a 2048bit dhparam.pem for SSL
    yes because it's client/browser negotiated as to what key exchange group is supported AFAIK
    Yes smaller ssl cert as letsencrypt vs comodo and some fields not populated AFAIK
     
  5. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    8:57 PM
    Mainline
    10.2
    Maybe the issue here is With Comodo ECC and UCBrowser XP.
    I tried several approach and I can't make it work.
     
  6. eva2000

    eva2000 Administrator Staff Member

    54,564
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    10:57 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    More bug fix work done on addons/acmetool.sh dual RSA + ECDSA letsencrypt SSL certificate support mode Beta Branch - acmetool.sh fix dual cert mode ssl_trusted_certificate concat :)
     
  7. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    1:57 PM
  8. eva2000

    eva2000 Administrator Staff Member

    54,564
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    10:57 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    letsencrypt root and immediates are still RSA 2048bit based not yet ECDSA based
     
  9. eva2000

    eva2000 Administrator Staff Member

    54,564
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    10:57 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    As ECDSA 256bit SSL certificates perform better than default standard RSA 2048bit SSL certificates, curious how folks feel if nginx dual certificates (RSA+ECDSA SSL) was set to default for Centmin Mod 123.09beta01 issued letsencrypt ssl certs ? So both variables would be default to
    Code (Text):
    LETSENCRYPT_DETECT='y'
    DUALCERTS='y'
    

    To enable letsencrypt ssl cert support + enable nginx dual certificates (RSA+ECDSA SSL).

    It means when you setup Nginx with HTTP/2 HTTPS, 2 ssl certificates are issued one for RSA 2048bit + one for ECDSA 256bit so they are served to browsers which support them. The concern I had with enabling nginx dual ssl certificates is potentially running up to letsencrypt ssl cert issuance rate limits if you have alot of new nginx HTTP/2 HTTPS sites all created at once.

    What do folks think ?
     
  10. diy

    diy Member

    50
    32
    18
    Jan 14, 2019
    USA
    Ratings:
    +48
    Local Time:
    7:57 AM
    nginx 1.19.x
    MariaDB 10.4.x
    Centminmod features are always appreciated, even in those times when we don't need to use them. :)