Since these two are using GCM (Galois/Counter Mode):
www.ssllabs.com: ECDHE-RSA-AES256-GCM-SHA384
www.google.com: ECDHE-RSA-AES128-GCM-SHA256
We wanted to make our webserver's HTTPS connection more secure (Don't look at the self-signed certificate, that doesn't count right now…).
We are using an OpenBSD 5.4 64bit OS, and the openssl ciphers command says that it supports the ECDHE-RSA-AES256-GCM-SHA384 cipher. On client side there is Firefox 30 at least.
So here is how we setup the HTTPS server:
# generate self signed certificate
openssl genrsa -aes256 -out /etc/ssl/private/server.key 4096
openssl req -new -key /etc/ssl/private/server.key -out /etc/ssl/private/server.csr
openssl x509 -sha512 -req -days 365 -in /etc/ssl/private/server.csr -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt
The config:
vi /etc/nginx/nginx.conf
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
But Firefox says (I translated it from my language..):
A connection to the www.foo.hu is interrupted
and ssllabs says:
Assessment failed: Failed to communicate with the secure server
- How can we set GCM in nginx?
- Why couldn't a fresh Firefox connect via HTTPS to
www.foo.hu(ECDHE-RSA-AES256-GCM-SHA384, TLSv1.2)?
It can connect to www.ssllabs.com via HTTPS (ECDHE-RSA-AES256-GCM-SHA384, TLSv1.2), so maybe it's not a client side problem?
[user@localhost ~] openssl s_client -connect www.foo.hu:443
CONNECTED(00000003)
depth=0 C = HU, CN = www.foo.hu
verify error:num=18:self signed certificate
verify return:1
depth=0 C = HU, CN = www.foo.hu
verify return:1
---
Certificate chain
0 s:/C=HU/CN=www.foo.hu
i:/C=HU/CN=www.foo.hu
---
Server certificate
-----BEGIN CERTIFICATE-----
.... here goes the cert..
-----END CERTIFICATE-----
subject=/C=HU/CN=www.foo.hu
issuer=/C=HU/CN=www.foo.hu
---
No client certificate CA names sent
---
SSL handshake has read 2137 bytes and written 389 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: ...bla-bla
Session-ID-ctx:
Master-Key: ...bla-bla
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
...bla-bla
Start Time: 1404296744
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
read:errno=0
[user@localhost ~]
Best Answer
Changing the cipher suite was the final solution.
The problem was that Firefox 30 doesn't supports the mentioned cipher yet.