Hi, I have Nginx running for many OpenBSD relesase, with TLS enabled (Let's Encrypt certificates). I upgraded recently to:
OpenBSD 6.6-current (GENERIC.MP) #626: Thu Jan 30 19:26:22 MST 2020 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP and recent package snapshot: # awk '/digital-signature/ {print $NF}' /var/db/pkg/quirks-3.223/+CONTENTS signify2:2020-01-30T18:08:23Z:external I see problem with Chrome and Firefox on Windows and on OpenBSD. Firefox returns SSL_ERROR_DECODE_ERROR_ALERT and Chrome returns ERR_SSL_PROTOCOL_ERROR. Is it known problem? I don't see this issue with httpd(8) and similar setup. Example domain which you can have a look at is https://ports.to/ or https://www.secure.io/ Snippet from nginx.conf: server { listen 443 ssl; listen [::]:443 ssl; server_name ports.to www.ports.to; root /data/www/ports-readmes; gzip off; ssl_certificate /etc/ssl/ports.to-full.crt; ssl_certificate_key /etc/ssl/private/ports.to.key; ssl_dhparam /etc/ssl/dh4096.pem; ssl_session_cache shared:SSL:5m; ssl_session_timeout 5m; ssl_protocols TLSv1.2; ssl_ciphers HIGH@STRENGTH:!aNULL:!eNULL; ssl_prefer_server_ciphers on; } server { listen 443 ssl; listen [::]:443 ssl; server_name secure.io www.secure.io; root /data/www/default; gzip off; ssl_certificate /etc/ssl/nginx.crt; ssl_certificate_key /etc/ssl/private/server.key; ssl_dhparam /etc/ssl/dh4096.pem; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:5m; ssl_session_timeout 5m; ssl_protocols TLSv1.2; ssl_ciphers ECDHE+AEAD+HIGH@STRENGTH:!aNULL:!eNULL:!AES128,DHE+AEAD+HIGH@STRENGTH:!aNULL:!eNULL:!AES128; ssl_prefer_server_ciphers on; ... } -- Regards, Mikolaj