Are multiple TLS Certificates/Keys used in Order in NGINX? How does NGINX determine the best Match in this Case?

michacassola

2/14/24, 8:38 PM

Using Cloudflare's "Full" encyption mode, one can use self signed certificates for origin to Cloudflare connections:

The certificate presented by the origin will not be validated in any way. It can be expired, self-signed, or not even have a matching CN/SAN entry for the hostname requested.

-- https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full/

Recently my self signed certificate made with the following commands (GNU/Linux) stopped working and Cloudflare threw a 526 error.

openssl genpkey -algorithm Ed25519 -out /etc/ssl/qycli.key
openssl req -new -x509 -key /etc/ssl/qycli.key -out /etc/ssl/qycli.crt -days 7300 -subj "/C=AQ/ST=qycli/L=qycli/O=HOSTYON/OU=SysOps/CN=HOSTYON"

Using the following certificate and key made the connection to Cloudflare work again:

openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -x509 -nodes -days 7300 -out /etc/ssl/qycli.crt -keyout /etc/ssl/qycli.key -subj "/C=AQ/ST=qycli/L=qycli/O=HOSTYON/OU=SysOps/CN=HOSTYON"

Can I specify several certificates and keys in a way that NGINX will consider them in order, one after the other, to keep the performance as high as possible, while providing a fallback for when Cloudflare does not consider a certificate and key safe enough anymore?

The NGINX documentation mentions:

Since version 1.11.0, this directive can be specified multiple times to load certificates of different types, for example, RSA and ECDSA:

-- https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate

Would the following work as I expect it?

server {
listen              443 ssl;
server_name         example.com;

ssl_certificate     /etc/ssl/qycli.crt; # More performant, less secure ECDSA P-256 certificate
ssl_certificate_key /etc/ssl/qycli.key;

ssl_certificate     /etc/ssl/qycli.2048.crt; # More performant, less secure RSA 2048 fallback certificate
ssl_certificate_key /etc/ssl/qycli.2048.key;

ssl_certificate     /etc/ssl/qycli.384.crt; # Less performant, more secure ECDSA P-384 fallback certificate
ssl_certificate_key /etc/ssl/qycli.384.key;

ssl_certificate     /etc/ssl/qycli.4096.crt; # More performant, less secure RSA 4096 certificate
ssl_certificate_key /etc/ssl/qycli.4096.key;
...
}

Certificates and keys made with:

# ECDSA
openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -x509 -nodes -days 7300 -out /etc/ssl/qycli.crt -keyout /etc/ssl/qycli.key -subj "/C=AQ/ST=qycli/L=qycli/O=HOSTYON/OU=SysOps/CN=HOSTYON"
openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -x509 -nodes -days 7300 -out /etc/ssl/qycli.384.crt -keyout /etc/ssl/qycli.384.key -subj "/C=AQ/ST=qycli/L=qycli/O=HOSTYON/OU=SysOps/CN=HOSTYON"
# RSA
openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/qycli.2048.key -out /etc/ssl/qycli.2048.crt -sha256 -days 7300 -nodes -subj "/C=AQ/ST=qycli/L=qycli/O=HOSTYON/OU=SysOps/CN=HOSTYON"
openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/qycli.4096.key -out /etc/ssl/qycli.4096.crt -sha256 -days 7300 -nodes -subj "/C=AQ/ST=qycli/L=qycli/O=HOSTYON/OU=SysOps/CN=HOSTYON"

165

1 + 3

nginx

ssl-certificate

cloudflare

anx

2/14/24, 10:54 PM

Do you have reason to believe you need RSA certificates at all? Do you have reason to believe the different NSA-designed curves have sufficiently different properties to care to offer more than one? You might not *need* any more complexity.

anx

2/14/24, 10:57 PM

Have you verified the setup that was not working was really Cloudflares fault (did you use `openssl s_client` or the [Qualsys SSL Test](https://www.ssllabs.com/ssltest/) to confirm your origin server correctly uses that certificate) - now-deprecated openssl library versions used to ship surprisingly bad defaults around EC configuration.

michacassola

2/16/24, 7:41 AM

I am only thinking about this as Cloudflare accepted the certificate that I had made with the very nice ed25519 algorythm, but then suddenly without me changing anything I got 526 errors from Cloudflare. They are self signed and therefore won't withstand any checking. Cloudflare accepts anything for the origin connection which I am taking advantage of.

Score:0

Server

anx

2/14/24, 11:37 PM

Yes, multiple ssl_certificate&ssl_certificate_key pairs are just fine. nginx will send whatever is usable with what the client demands, e.g. if you are supporting TLS1.2 a client can choose ciphers that restrict what sort of certificate the server can present:

# openssl s_client -tls1_2 -cipher HIGH+aECDSA -connect server.example:443 -showcerts </dev/null
..
s:CN = server.example
a:PKEY: id-ecPublicKey
..

# openssl s_client -tls1_2 -cipher HIGH+aRSA -connect server.example:443 -showcerts </dev/null
..
s:CN = server.example
a:PKEY: rsaEncryption
..

The nginx setting ssl_ecdh_curve can be used to override client preference when multiple choices remain. But the default behaviour should already suit your goal of letting Cloudflare chose from what they deem appropriate - provided you are using non-deprecated (openssl) libraries.

For an endpoint only talking to one specific cloud provider, you might not want to offer multiple choices at all, though. Choosing one believed to be supported, secure and performant might do the trick at lower maintenance cost. All the way until all of them are believed to be no longer appropriate, possibly at about the same time in the future.

+ 1

michacassola

2/26/24, 6:36 PM

If I only offer the two ECDSA certificates, will nginx always prefer the 256 one?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Are multiple TLS Certificates/Keys used in Order in NGINX? How does NGINX determine the best Match in this Case?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.