So updating to OpenSSL 1.1.0g Thanks, I got it now.
doesn't matter much as that is just server preferred order but client forces Nginx to fall back to serving with P-256 in either case as you can see in SSLLab listing of clients/browsers (with exception on my site for Firefox 53/Win) Your site's Server Temp Key Code (Text): echo n | openssl s_client -debug -connect phcorner.net:443 2>&1 | grep -A12 'Server Temp Key:' Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 3361 bytes and written 415 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256 Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-ECDSA-AES128-GCM-SHA256 my site Code (Text): echo n | openssl s_client -debug -connect http2.centminmod.com:443 2>&1 | grep -A12 'Server Temp Key:' Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 2779 bytes and written 415 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256 Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-ECDSA-AES128-GCM-SHA256
I follow this guide here: Hybrid RSA and ECDSA certificates with NginX The order of rsa & ecdsa config. Does http2.centminmod.com uses 2048 bits dhparam.pem? That seems the same? Except for: SSL handshake has read 2779 bytes and written 415 bytes.
All Centmin Mod Nginx vhosts with HTTP/2 HTTPS auto generate a 2048bit dhparam.pem for SSL yes because it's client/browser negotiated as to what key exchange group is supported AFAIK Yes smaller ssl cert as letsencrypt vs comodo and some fields not populated AFAIK
Maybe the issue here is With Comodo ECC and UCBrowser XP. I tried several approach and I can't make it work.
More bug fix work done on addons/acmetool.sh dual RSA + ECDSA letsencrypt SSL certificate support mode Beta Branch - acmetool.sh fix dual cert mode ssl_trusted_certificate concat
@eva2000 is ECDSA root and intermediates already in beta? Upcoming Features - Let's Encrypt - Free SSL/TLS Certificates
As ECDSA 256bit SSL certificates perform better than default standard RSA 2048bit SSL certificates, curious how folks feel if nginx dual certificates (RSA+ECDSA SSL) was set to default for Centmin Mod 123.09beta01 issued letsencrypt ssl certs ? So both variables would be default to Code (Text): LETSENCRYPT_DETECT='y' DUALCERTS='y' To enable letsencrypt ssl cert support + enable nginx dual certificates (RSA+ECDSA SSL). It means when you setup Nginx with HTTP/2 HTTPS, 2 ssl certificates are issued one for RSA 2048bit + one for ECDSA 256bit so they are served to browsers which support them. The concern I had with enabling nginx dual ssl certificates is potentially running up to letsencrypt ssl cert issuance rate limits if you have alot of new nginx HTTP/2 HTTPS sites all created at once. What do folks think ?