nginx secure TLS configuration result in SSL_ERROR_NO_CYPHER_OVERLAP

0

I followed a guide from 01/2018 to harden my nginx 1.10.3 TLS configuration.

Now I'm getting SSL_ERROR_NO_CYPHER_OVERLAP in Firefox 66.0.1 and https://www.ssllabs.com/ssltest says Assessment failed: Failed to communicate with the secure server

This is the current configuration. nginx -t is successful.

server {
    listen 80;
    listen [::]:80;
    server_name domain.tld;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name domain.tld;
    root /var/www/domain.tld;
    index index.html;

    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    ssl_protocols TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA;
    ssl_prefer_server_ciphers on;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/chain.pem;        
    # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

    server_tokens off;

    location / {
        try_files $uri $uri/ =404;
    }
}

Donkeye

Posted 2019-03-23T17:45:03.857

Reputation: 1

Answers

1

Nothing is known about your certificate but my guess is that you are using a RSA certificate since this is still the most common one. Only, your ciphers are all *-ECDSA-* ciphers which require an ECC certificate.

Instead of coming up with your own variant of security and failing to understand how secure this really is and what side-effects it has, I recommend to simply use recommend settings, like the ones done by the Mozilla SSL Configuration Generator.

Steffen Ullrich

Posted 2019-03-23T17:45:03.857

Reputation: 3 897

Asked: 2019-03-23T17:45:03.857

Viewed: 304 times

Active: 2019-03-23T19:29:52.183