Opened 3 years ago

Closed 3 years ago

#1375 closed defect (invalid)

Can‘t use parallel ECDSA / RSA certificates in BoringSSL

Reported by: jinham335908093@… Owned by:
Priority: minor Milestone: 1.13
Component: nginx-module Version: 1.13.x
Keywords: BoringSSL, Certificate Cc:
uname -a: Linux a-VirtualBox 4.10.0-33-generic #37~16.04.1-Ubuntu SMP Fri Aug 11 14:07:24 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.13.4
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4)
built with OpenSSL 1.0.2 (compatible; BoringSSL) (Running with Boringssl)
TLS SNI support enabled
configure arguments: --add-module=../ngx_brotli --add-module=../nginx-ct-1.3.2 --with-openssl=../openssl --with-openssl-opt='enable-tls1_3 enable-weak-ssl-ciphers' --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module

Description

I can‘t use parallel ECDSA / RSA certificates in BoringSSL.It only offers RSA certificate
My config is
server {

listen 443 ssl spdy http2 fastopen=3 reuseport;
listen 80;
#server_name localhost;
server_tokens off;
#charset koi8-r;

ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]:[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:DHE+AES128:RSA+AES128:ECDHE+AES256:DHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES';

#access_log logs/host.access.log main;
#ssl_ciphers ALL;
ssl_stapling on;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets on;
#ECC
ssl_certificate cert.pem;
ssl_certificate_key key.pem;
#RSA
ssl_certificate rsa.pem;
ssl_certificate_key rsa.key.pem;
#2048-bit DH
ssl_dhparam dhparams.pem;
ssl_ecdh_curve X25519:P-521:P-384:P-256;
add_header Public-Key-Pins 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="IiSbZ4pMDEyXvtl7Lg8K3FNmJcTAhKUTrB2FQOaAO/s="; pin-sha256="GrUh1XUYd7h8vyl/831aUltQ3bRKrNYdDFqIaBf8c=";pin-sha256="XMNx6H7vrk+38sOXz3yAeR60fQv14famOgKTZl0c9GU=";max-age=2592000; includeSubDomains';
add_header X-Frame-Options deny;
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload';
add_header X-Xss-Protection '1; mode=block';
add_header Cache-Control no-cache;
add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-eval'; img-src 'self'; connect-src 'self'; font-src 'self'; style-src 'unsafe-inline';";
location / {

root html;
index index.html index.htm;

}

Change History (2)

comment:1 by jinham335908093@…, 3 years ago

I add an option to enable TLS 1.3 and weak ciphers

comment:2 by Maxim Dounin, 3 years ago

Resolution: invalid
Status: newclosed

Looking through BoringSSL code suggests that there are no relevant support for multiple certificates in BoringSSL, it was removed in d1d807802. Compile with OpenSSL instead.

Note: See TracTickets for help on using tickets.