@rg305
how do I upload a text file here?
@rg305 here’s the curve command output:
secp112r1 : SECG/WTLS curve over a 112 bit prime field
secp112r2 : SECG curve over a 112 bit prime field
secp128r1 : SECG curve over a 128 bit prime field
secp128r2 : SECG curve over a 128 bit prime field
secp160k1 : SECG curve over a 160 bit prime field
secp160r1 : SECG curve over a 160 bit prime field
secp160r2 : SECG/WTLS curve over a 160 bit prime field
secp192k1 : SECG curve over a 192 bit prime field
secp224k1 : SECG curve over a 224 bit prime field
secp224r1 : NIST/SECG curve over a 224 bit prime field
secp256k1 : SECG curve over a 256 bit prime field
secp384r1 : NIST/SECG curve over a 384 bit prime field
secp521r1 : NIST/SECG curve over a 521 bit prime field
prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field
prime192v2: X9.62 curve over a 192 bit prime field
prime192v3: X9.62 curve over a 192 bit prime field
prime239v1: X9.62 curve over a 239 bit prime field
prime239v2: X9.62 curve over a 239 bit prime field
prime239v3: X9.62 curve over a 239 bit prime field
prime256v1: X9.62/SECG curve over a 256 bit prime field
sect113r1 : SECG curve over a 113 bit binary field
sect113r2 : SECG curve over a 113 bit binary field
sect131r1 : SECG/WTLS curve over a 131 bit binary field
sect131r2 : SECG curve over a 131 bit binary field
sect163k1 : NIST/SECG/WTLS curve over a 163 bit binary field
sect163r1 : SECG curve over a 163 bit binary field
sect163r2 : NIST/SECG curve over a 163 bit binary field
sect193r1 : SECG curve over a 193 bit binary field
sect193r2 : SECG curve over a 193 bit binary field
sect233k1 : NIST/SECG/WTLS curve over a 233 bit binary field
sect233r1 : NIST/SECG/WTLS curve over a 233 bit binary field
sect239k1 : SECG curve over a 239 bit binary field
sect283k1 : NIST/SECG curve over a 283 bit binary field
sect283r1 : NIST/SECG curve over a 283 bit binary field
sect409k1 : NIST/SECG curve over a 409 bit binary field
sect409r1 : NIST/SECG curve over a 409 bit binary field
sect571k1 : NIST/SECG curve over a 571 bit binary field
sect571r1 : NIST/SECG curve over a 571 bit binary field
c2pnb163v1: X9.62 curve over a 163 bit binary field
c2pnb163v2: X9.62 curve over a 163 bit binary field
c2pnb163v3: X9.62 curve over a 163 bit binary field
c2pnb176v1: X9.62 curve over a 176 bit binary field
c2tnb191v1: X9.62 curve over a 191 bit binary field
c2tnb191v2: X9.62 curve over a 191 bit binary field
c2tnb191v3: X9.62 curve over a 191 bit binary field
c2pnb208w1: X9.62 curve over a 208 bit binary field
c2tnb239v1: X9.62 curve over a 239 bit binary field
c2tnb239v2: X9.62 curve over a 239 bit binary field
c2tnb239v3: X9.62 curve over a 239 bit binary field
c2pnb272w1: X9.62 curve over a 272 bit binary field
c2pnb304w1: X9.62 curve over a 304 bit binary field
c2tnb359v1: X9.62 curve over a 359 bit binary field
c2pnb368w1: X9.62 curve over a 368 bit binary field
c2tnb431r1: X9.62 curve over a 431 bit binary field
wap-wsg-idm-ecid-wtls1: WTLS curve over a 113 bit binary field
wap-wsg-idm-ecid-wtls3: NIST/SECG/WTLS curve over a 163 bit binary field
wap-wsg-idm-ecid-wtls4: SECG curve over a 113 bit binary field
wap-wsg-idm-ecid-wtls5: X9.62 curve over a 163 bit binary field
wap-wsg-idm-ecid-wtls6: SECG/WTLS curve over a 112 bit prime field
wap-wsg-idm-ecid-wtls7: SECG/WTLS curve over a 160 bit prime field
wap-wsg-idm-ecid-wtls8: WTLS curve over a 112 bit prime field
wap-wsg-idm-ecid-wtls9: WTLS curve over a 160 bit prime field
wap-wsg-idm-ecid-wtls10: NIST/SECG/WTLS curve over a 233 bit binary field
wap-wsg-idm-ecid-wtls11: NIST/SECG/WTLS curve over a 233 bit binary field
wap-wsg-idm-ecid-wtls12: WTLS curve over a 224 bit prime field
Oakley-EC2N-3:
IPSec/IKE/Oakley curve #3 over a 155 bit binary field.
Not suitable for ECDSA.
Questionable extension field!
Oakley-EC2N-4:
IPSec/IKE/Oakley curve #4 over a 185 bit binary field.
Not suitable for ECDSA.
Questionable extension field!
brainpoolP160r1: RFC 5639 curve over a 160 bit prime field
brainpoolP160t1: RFC 5639 curve over a 160 bit prime field
brainpoolP192r1: RFC 5639 curve over a 192 bit prime field
brainpoolP192t1: RFC 5639 curve over a 192 bit prime field
brainpoolP224r1: RFC 5639 curve over a 224 bit prime field
brainpoolP224t1: RFC 5639 curve over a 224 bit prime field
brainpoolP256r1: RFC 5639 curve over a 256 bit prime field
brainpoolP256t1: RFC 5639 curve over a 256 bit prime field
brainpoolP320r1: RFC 5639 curve over a 320 bit prime field
brainpoolP320t1: RFC 5639 curve over a 320 bit prime field
brainpoolP384r1: RFC 5639 curve over a 384 bit prime field
brainpoolP384t1: RFC 5639 curve over a 384 bit prime field
brainpoolP512r1: RFC 5639 curve over a 512 bit prime field
brainpoolP512t1: RFC 5639 curve over a 512 bit prime field
SM2 : SM2 curve over a 256 bit prime field
@rg305 FYI I re-enabled IPv6 after seeing that it made not difference when I first tested it. Or are you expecting it to be disabled for all of this?
Comparing your nginx -V to mine:
I’m not sure this affects much, but your has (that mine does not):
--with-cc-opt=’-g -O2 -fdebug-prefix-map=/build/nginx-FDSBVO/nginx-1.15.5=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2’ --with-ld-opt=’-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC’ --add-dynamic-module=/build/nginx-FDSBVO/nginx-1.15.5/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx-FDSBVO/nginx-1.15.5/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx-FDSBVO/nginx-1.15.5/debian/modules/http-echo --add-dynamic-module=/build/nginx-FDSBVO/nginx-1.15.5/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx-FDSBVO/nginx-1.15.5/debian/modules/http-subs-filter
and mine has (that yours does not):
--with-select_module --with-poll_module --with-file-aio --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-pcre=/additional/pcre-8.42 --add-module=/additional/headers-more-nginx-module-0.33/ --with-openssl=/additional/openssl-1.1.1 --with-openssl-opt=no-nextprotoneg
mind if I try your url to see if it works on safari?
duh 
Well it definitely has "all the right curves" - LOL
lol....Well that's a relief. 
So wasn't that curve directive supposed to changed the named groups? How come they're still the same in the ssllabs test?
I don't think IPv6 is part of the issue.
We are still trying to figure that out.
You seem to have all the right parts with all good versions.
But it still won't follow your command...
This is how it looks in mine:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve sect571r1:secp521r1:brainpoolP512r1:sect409r1:brainpoolP384r1:secp384r1:sect283r1:prime256v1;
ssl_ciphers TLS13:ECDHE+ARIA:ECDHE:!AESCCM:!AESCCM8:!CAMELLIA:!SHA:!ECDHE+CHACHA20;
ssl_prefer_server_ciphers on;
And I get:
Supported Named Groups
sect571r1, secp521r1, brainpoolP512r1, sect409r1, brainpoolP384r1, secp384r1 (server preferred order)
Did you get my PM?
Does it work from your device/location?
didn't see any pm from you? Sorry, my first day on this site. Where should I look?
k i think I got it…
top right
a green circle on your “C” pic
Ya yours works just fine. It outputs a cipher, IP address, and user agent
OK so we still have this (possibly insignificant) difference:
Your site:
Supported Named Groups
x25519, secp256r1, x448, secp521r1, secp384r1 (server preferred order)
My site:
Supported Named Groups
sect571r1, secp521r1, brainpoolP512r1, sect409r1, brainpoolP384r1, secp384r1 (server preferred order)
My works for you and yours doesn’t…
Try:
ssl_ecdh_curve auto;
command not found...
And there is this other possible difference:
Your nginx:
nginx version: nginx/1.15.5
built with OpenSSL 1.1.0g 2 Nov 2017 (running with OpenSSL 1.1.1 11 Sep 2018)
Mine:
nginx version: nginx/1.15.5
built with OpenSSL 1.1.1 11 Sep 2018
(this doesn’t seem like it should make a difference)