There are several cryptographic libraries on your system:
- OpenSSL (the gold standard, with a BSD-style (very free) licence that includes a somewhat problematic clause (preventing GPL compatibility, but nothing “bad”) limiting its adoption in the GNU world)
- GnuTLS (the replacement from the FSF; comes in two flavours, LGPLv2-licenced (but unmaintained) and LGPLv3-licenced (and thus incompatible with GPLv2-only programs); historically not as featureful as OpenSSL, a bit more buggy, but more strict too, which enhances security)
- NSS (Netscape/Mozilla's library, rarely used outside; slow to adopt new standards)
- minor ones like PolarSSL, MatrixSSL, NaCl/Salt
All of them have, of course, similarities and differences. Software that uses them (for cryptographic purposes, or to use SSL/TLS) sometimes supports using more than one of these libraries (for example Lynx, the web browser, is normally linked against OpenSSL but supports GnuTLS too (just not as good) in order to appease the GNU people).
cURL also is one of the projects supporting using either of the three major crypto libraries. This is mostly because cURL is, primary, a library intended to be used by yet other programs when they want to download (or even upload) things using http, ftp, etc. connections. The curl command-line tool can come from either of these variants.
Now, I'm fairly sure that the problem you're seeing with the not-freshly-installed system is the following:
OpenSSL and GnuTLS both support using /etc/ssl/certs/<hash>.<number>-style CA directories. OpenSSL version 0.x and GnuTLS however use a different algorithm to calculate the aforementioned hash than OpenSSL version 1.x uses. (Both can coëxist on a system; if different certificates have the same hash you just use a differing number for them. But for some reason, Debian/Ubuntu's ca-certificates package doesn't seem to do this.) Additionally, some versions of GnuTLS did not support using the directory, but only using a file /etc/ssl/certs/ca-certificates.crt (which is also usually managed by the ca-certificates package's maintainer scripts, but can deviate); you seem to be using an older version, so this may be the thing you hit.
openssl s_client by default (i.e. without the -CApath or -CAfile option) does not look anywhere for certificates.
Your curl from the upgraded installation most likely uses a different crypto library than the curl from the fresh installation.
Try openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect the-problem-site.com:443 in addition to openssl s_client -CApath /etc/ssl/certs -connect the-problem-site.com:443 to mimic the behaviour of older GnuTLS versions.
Double-check if there's an OpenSSL 1.x anywhere on your system (Ubuntu is known for sneaking major updates even into LTS versions), and if yes, check the hash of the file:
openssl x509 -noout -hash -in /etc/ssl/certs/GeoTrust_Global_CA.pem
openssl x509 -noout -subject_hash_old -in /etc/ssl/certs/GeoTrust_Global_CA.pem
openssl x509 -noout -subject_hash -in /etc/ssl/certs/GeoTrust_Global_CA.pem
Normally, either, the second and third command should fail (OpenSSL 0.x), or the first and third command should display the same hash but the second one should display a different hash (OpenSSL 1.x). GnuTLS would use the output from the second command (if OpenSSL 1.x is installed); if OpenSSL 0.x is installed that's the same hash. You can create such symlinks manually.
I can update this posting once you provide debugging feedback.
First you need to activate SSL/TLS in your nginx.conf:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name example.org;
ssl_certificate /etc/ssl/example.org.crt;
ssl_certificate_key /etc/ssl/private/example.org.key;
The two listen lines enable SSL at your IPv4 and IPv6 connection. If you have no IPv6 you might leave out the second listen line.
I assume that your server certificate is in /etc/ssl. If you use another path, you'd change the last two lines.
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
This enables different TLS versions. All current browsers are able to use TLS1.2. For older browsers I wrote a small howto enable secure settings.
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers on;
The first line sets the ciphers which your nignx should use. The second line prefers the cipher suites on the server (and not the client) side. So you can use strong(er) ciphers.
If you're done, your nginx should use TLS1.2. If you'd like, you can add your site to a TLS1.2 hall of fame and be proud. ;)
However there are several methods to improve the settings. I follow this german guide for secure nginx configuration.
Best Answer
I finally found out how to enable for nginx (afraid I don't know how to do it system-wide) and other services with a configuration allowing changing ciphers.
Source:
man ciphers.1sslEdit your nginx configuration and amend your cipherlist to add the pseudocipher
@SECLEVEL=1.Example:
becomes