Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ECC Certificate (ECDSA) fails in built-in web-server #353

jakepez opened this issue Mar 20, 2017 · 5 comments


Copy link

@jakepez jakepez commented Mar 20, 2017

Using a Let's Encrypt ECC cert for TLS fails. The NGBGet server process listens on the TLS port, but browsers show an ERR_SSL_VERSION_OR_CIPHER_MISMATCH error when negotiating the connection.

Openssl doesn't ever see the server certificate in the negotiation:

140736822842376:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 308 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2
    Cipher    : 0000
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1489980450
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

This comment has been minimized.

Copy link

@hugbug hugbug commented Mar 20, 2017

Are you sure you are connecting to correct port?

Can you please verify that when you use a self-signed certificate from it works? This is to ensure the problem occurs only with let's encrypt certificates and is not a general one.

Once verified I would need a certificate to test with. Can you provide me with one? That would be a great help.

More info about your system may help too:

  • your OS?
  • how NZBGet was installed: using official installer from nzbget web-site, self-compiled, from other repository?

This comment has been minimized.

Copy link

@jakepez jakepez commented Mar 20, 2017

Yes, port is correct.

Platform: QNap - installed first from QNap package, since upgraded using the upgrade option wishing nzbget to the current beta build.

The issue actually only occurs when using an ECC cert from Let's Encrypt. RSA certificates (just like self-signed) work fine. You can create certs directly from Let's Encrypt using a client like to test with.

RSA cert (requires port 80 open): --issue --standalone -d -d -d
ECC cert (requires port 80 open): --issue -w /home/wwwroot/ -d --keylength ec-256

I wasn't able to figure out how to enable debugging to see if anything is thrown on the server side error wise. If you can share how to enable, I can collect that information as well to trace what might be failing on the listener.


This comment has been minimized.

Copy link

@hugbug hugbug commented Mar 20, 2017

If you can send me a test certificate to that would speed up my test significantly. Thanks.

@hugbug hugbug changed the title Let's Encrypt ECC Certificate (ECDSA) fails ECC Certificate (ECDSA) fails in built-in web-server Mar 21, 2017
@hugbug hugbug added the improvement label Mar 21, 2017
@hugbug hugbug added this to the v19 milestone Mar 21, 2017
hugbug added a commit that referenced this issue Mar 21, 2017

This comment has been minimized.

Copy link

@jakepez jakepez commented Mar 22, 2017

Fixed in testing r1928.


This comment has been minimized.

Copy link

@thawxor thawxor commented May 2, 2019

This only solves the problem when using the prime256v1 algorithm.

If you create a certificate using the secp384p1 (and presumably others) key algorithm you will get the same ERR_SSL_VERSION_OR_CIPHER_MISMATCH style error.

As a test I substituted NID_X9_62_prime256v1 for NID_secp384r1 at

EC_KEY* ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
and tried using it with my dehydrated created secp384r1 based letencrypt cert and it resolves the problem.

A proper fix would obviously handle secp384r1 and the other permissible algorithms.

@hugbug hugbug reopened this May 2, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
3 participants
You can’t perform that action at this time.