Discover Centmin Mod today
Register Now

SSL Nginx 1.11.0 introduces dual ECDSA + RSA SSL certificate support !

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, May 25, 2016.

  1. rdan

    rdan Well-Known Member

    4,924
    1,174
    113
    May 25, 2014
    Ratings:
    +1,773
    Local Time:
    5:29 PM
    Mainline
    10.2
    Thanks, I got it now.
     
  2. eva2000

    eva2000 Administrator Staff Member

    44,160
    10,066
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,556
    Local Time:
    7:29 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    doesn't matter much as that is just server preferred order but client forces Nginx to fall back to serving with P-256 in either case as you can see in SSLLab listing of clients/browsers (with exception on my site for Firefox 53/Win)

    Your site's Server Temp Key
    Code (Text):
    echo n | openssl s_client -debug -connect phcorner.net:443 2>&1 | grep -A12 'Server Temp Key:'
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 3361 bytes and written 415 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
    Server public key is 256 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
    

    my site
    Code (Text):
    echo n | openssl s_client -debug -connect http2.centminmod.com:443 2>&1 | grep -A12 'Server Temp Key:'               
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 2779 bytes and written 415 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
    Server public key is 256 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
    
     
  3. rdan

    rdan Well-Known Member

    4,924
    1,174
    113
    May 25, 2014
    Ratings:
    +1,773
    Local Time:
    5:29 PM
    Mainline
    10.2
  4. eva2000

    eva2000 Administrator Staff Member

    44,160
    10,066
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,556
    Local Time:
    7:29 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    All Centmin Mod Nginx vhosts with HTTP/2 HTTPS auto generate a 2048bit dhparam.pem for SSL
    yes because it's client/browser negotiated as to what key exchange group is supported AFAIK
    Yes smaller ssl cert as letsencrypt vs comodo and some fields not populated AFAIK
     
    • Like Like x 1
  5. rdan

    rdan Well-Known Member

    4,924
    1,174
    113
    May 25, 2014
    Ratings:
    +1,773
    Local Time:
    5:29 PM
    Mainline
    10.2
    Maybe the issue here is With Comodo ECC and UCBrowser XP.
    I tried several approach and I can't make it work.
     
  6. eva2000

    eva2000 Administrator Staff Member

    44,160
    10,066
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,556
    Local Time:
    7:29 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    More bug fix work done on addons/acmetool.sh dual RSA + ECDSA letsencrypt SSL certificate support mode Beta Branch - acmetool.sh fix dual cert mode ssl_trusted_certificate concat :)
     
    • Like Like x 1
    • Dumb Dumb x 1
  7. buik

    buik Well-known Member Premium Member

    1,264
    335
    83
    Apr 29, 2016
    Ratings:
    +1,008
    Local Time:
    11:29 AM
  8. eva2000

    eva2000 Administrator Staff Member

    44,160
    10,066
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,556
    Local Time:
    7:29 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    letsencrypt root and immediates are still RSA 2048bit based not yet ECDSA based
     
  9. eva2000

    eva2000 Administrator Staff Member

    44,160
    10,066
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,556
    Local Time:
    7:29 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    As ECDSA 256bit SSL certificates perform better than default standard RSA 2048bit SSL certificates, curious how folks feel if nginx dual certificates (RSA+ECDSA SSL) was set to default for Centmin Mod 123.09beta01 issued letsencrypt ssl certs ? So both variables would be default to
    Code (Text):
    LETSENCRYPT_DETECT='y'
    DUALCERTS='y'
    

    To enable letsencrypt ssl cert support + enable nginx dual certificates (RSA+ECDSA SSL).

    It means when you setup Nginx with HTTP/2 HTTPS, 2 ssl certificates are issued one for RSA 2048bit + one for ECDSA 256bit so they are served to browsers which support them. The concern I had with enabling nginx dual ssl certificates is potentially running up to letsencrypt ssl cert issuance rate limits if you have alot of new nginx HTTP/2 HTTPS sites all created at once.

    What do folks think ?
     
    • Like Like x 2
  10. diy

    diy Premium Member Premium Member

    44
    27
    18
    Jan 14, 2019
    USA
    Ratings:
    +42
    Local Time:
    5:29 AM
    nginx 1.17.x
    MariaDB 10.4.x
    Centminmod features are always appreciated, even in those times when we don't need to use them. :)
     
    • Like Like x 1