Opened 7 years ago
Closed 7 years ago
#1375 closed defect (invalid)
Can‘t use parallel ECDSA / RSA certificates in BoringSSL
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | 1.13 |
| Component: | nginx-module | Version: | 1.13.x |
| Keywords: | BoringSSL, Certificate | Cc: | |
| uname -a: | Linux a-VirtualBox 4.10.0-33-generic #37~16.04.1-Ubuntu SMP Fri Aug 11 14:07:24 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.13.4
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) built with OpenSSL 1.0.2 (compatible; BoringSSL) (Running with Boringssl) TLS SNI support enabled configure arguments: --add-module=../ngx_brotli --add-module=../nginx-ct-1.3.2 --with-openssl=../openssl --with-openssl-opt='enable-tls1_3 enable-weak-ssl-ciphers' --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module |
||
Description
I can‘t use parallel ECDSA / RSA certificates in BoringSSL.It only offers RSA certificate
My config is
server {
listen 443 ssl spdy http2 fastopen=3 reuseport;
listen 80;
#server_name localhost;
server_tokens off;
#charset koi8-r;
ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]:[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:DHE+AES128:RSA+AES128:ECDHE+AES256:DHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES';
#access_log logs/host.access.log main;
#ssl_ciphers ALL;
ssl_stapling on;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets on;
#ECC
ssl_certificate cert.pem;
ssl_certificate_key key.pem;
#RSA
ssl_certificate rsa.pem;
ssl_certificate_key rsa.key.pem;
#2048-bit DH
ssl_dhparam dhparams.pem;
ssl_ecdh_curve X25519:P-521:P-384:P-256;
add_header Public-Key-Pins 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="IiSbZ4pMDEyXvtl7Lg8K3FNmJcTAhKUTrB2FQOaAO/s="; pin-sha256="GrUh1XUYd7h8vyl/831aUltQ3bRKrNYdDFqIaBf8c=";pin-sha256="XMNx6H7vrk+38sOXz3yAeR60fQv14famOgKTZl0c9GU=";max-age=2592000; includeSubDomains';
add_header X-Frame-Options deny;
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload';
add_header X-Xss-Protection '1; mode=block';
add_header Cache-Control no-cache;
add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-eval'; img-src 'self'; connect-src 'self'; font-src 'self'; style-src 'unsafe-inline';";
location / {
root html;
index index.html index.htm;
}
Change History (2)
comment:1 by , 7 years ago
comment:2 by , 7 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
Looking through BoringSSL code suggests that there are no relevant support for multiple certificates in BoringSSL, it was removed in d1d807802. Compile with OpenSSL instead.
I add an option to enable TLS 1.3 and weak ciphers