Cannot use Advanced Rest Client with Letsencrypt Websites because throws: sslv3 alert handshake failure

try:
grep -r ssl_ecdh_curve /etc/nginx

1 Like

@jmorahan

root@profuniv-desa:/etc/nginx# grep -r ssl_ecdh_curve *
snippets/ssl_letsencrypt.conf:ssl_ecdh_curve secp384r1;

Okay so try editing the file snippets/ssl_letsencrypt.conf and changing that line from:
ssl_ecdh_curve secp384r1;
to:
ssl_ecdh_curve auto;
or possibly just delete the line entirely.

1 Like

Uch, seriously? IMHO that's a flaw from ARC..

1 Like

changed to ssl_ecdh_curve auto;

root@profuniv-desa:/etc/nginx# nginx -t
nginx: [emerg] Unknown curve name "auto" (SSL:)
nginx: configuration file /etc/nginx/nginx.conf test failed

Suggestion (some sites):
Don’t works: https://www.cdn77.com/tls-test?domain=dev.www.triunfamos.com
DO works: https://www.cdn77.com/tls-test?domain=www.cdimarbella.com
DO works: https://www.cdn77.com/tls-test?domain=www.aulafacil.com (NO letsencript)

Yeah sorry I misread the documentation, auto was added in a later nginx version than the one you’re running. Try just deleting the line entirely.

YOU ARE THE FUCKING MASTER.

It worked by deleting the entire line.

So… the question is: Is the change favorable or worst?

auto only works since nginx 1.11.0.

Try:

ssl_ecdh_curve prime256v1:secp384r1;

That might be the default for your nginx version by the way. The docs say the current default is "auto", but that wouldn't be the default of your version obviously. :stuck_out_tongue:

root@profuniv-desa:/etc/nginx# nginx -t
nginx: [emerg] Unknown curve name "prime256v1:secp384r1" (SSL:)
nginx: configuration file /etc/nginx/nginx.conf test failed

As I've said before I'm not an nginx expert... but my reading of the docs is that that syntax is also only supported since 1.11.0.

Well, strictly speaking it's worse, as 256 is smaller than 384, but one might hope that the difference is mostly irrelevant in practice. Ideally you would upgrade to an nginx version that allows you to support multiple curves, so you can use the best one supported by the client. Or even better, the developers of ARC should improve their app to support more and better curves.

OK @jmorahan my last question and I finish:

according to https://www.cdn77.com/tls-test?domain=dev.www.triunfamos.com it reccomends to install TLS 1.3

Which is your advice?

Oh man.. @nacesprin is it possible to update your nginx? If you want higher level of ECDHE key exchange that is.

TLS 1.3 is good, but it will also require you to upgrade nginx :wink:

1 Like

Resume:

For nginx 1.10.x the ssl_ecdh_curve sentence must be removed (if I use ARC) from nginx configuration.
For nginx 1.11 the ssl_ecdh_curve must set auto

In sites which has nginx 1.10 but is working ARC is due to is using cloudflare SSL

It is adviced to install TLS 1.3 for nginx 1.11

Thanks @jmorahan

I believe you would need nginx 1.13 if you want to support TLS 1.3.

This is my server: https://www.cdn77.com/tls-test?domain=www.aulafacil.com and it has TLS 1.3 and nginx v 1.10.3 with COMODO SSL

Yes, that's because the TLS 1.3 is being provided in this case not by the nginx on your server, but by Cloudflare.

It is very logical. I had a headache. So, another solution is use cloudflare :grin:

2 Likes

same her but
https://www.ssllabs.com/ssltest/analyze.html?d=ipfinder.io

work fine

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.