Mercurial > hg > nginx-quic
annotate conf/fastcgi.conf @ 7360:8f25a44d9add
SSL: logging level of "no suitable key share".
The "no suitable key share" errors are reported by OpenSSL 1.1.1 when
using TLSv1.3 if there are no shared groups (that is, elliptic curves).
In particular, it is easy enough to trigger by using only a single
curve in ssl_ecdh_curve:
ssl_ecdh_curve secp384r1;
and using a different curve in the client:
openssl s_client -connect 127.0.0.1:443 -curves prime256v1
On the client side it is seen as "sslv3 alert handshake failure",
"SSL alert number 40":
0:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1528:SSL alert number 40
It can be also triggered with default ssl_ecdh_curve by using a curve
which is not in the default list (X25519, prime256v1, X448, secp521r1,
secp384r1):
openssl s_client -connect 127.0.0.1:8443 -curves brainpoolP512r1
Given that many clients hardcode prime256v1, these errors might become
a common problem with TLSv1.3 if ssl_ecdh_curve is redefined. Previously
this resulted in not using ECDH with such clients, but with TLSv1.3 it
is no longer possible and will result in a handshake failure.
The SSL_R_NO_SHARED_GROUP error is what BoringSSL returns in the same
situation.
Seen at:
https://serverfault.com/questions/932102/nginx-ssl-handshake-error-no-suitable-key-share
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 25 Sep 2018 13:59:53 +0300 |
parents | 62869a9b2e7d |
children |
rev | line source |
---|---|
537 | 1 |
3383 | 2 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; |
537 | 3 fastcgi_param QUERY_STRING $query_string; |
4 fastcgi_param REQUEST_METHOD $request_method; | |
5 fastcgi_param CONTENT_TYPE $content_type; | |
6 fastcgi_param CONTENT_LENGTH $content_length; | |
7 | |
8 fastcgi_param SCRIPT_NAME $fastcgi_script_name; | |
9 fastcgi_param REQUEST_URI $request_uri; | |
10 fastcgi_param DOCUMENT_URI $document_uri; | |
11 fastcgi_param DOCUMENT_ROOT $document_root; | |
12 fastcgi_param SERVER_PROTOCOL $server_protocol; | |
6168
62869a9b2e7d
Added the REQUEST_SCHEME parameter.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4379
diff
changeset
|
13 fastcgi_param REQUEST_SCHEME $scheme; |
4379
4e2551a83291
Added the HTTPS fastcgi_param to fastcgi.conf.
Valentin Bartenev <vbart@nginx.com>
parents:
3383
diff
changeset
|
14 fastcgi_param HTTPS $https if_not_empty; |
537 | 15 |
16 fastcgi_param GATEWAY_INTERFACE CGI/1.1; | |
1330 | 17 fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; |
537 | 18 |
19 fastcgi_param REMOTE_ADDR $remote_addr; | |
20 fastcgi_param REMOTE_PORT $remote_port; | |
21 fastcgi_param SERVER_ADDR $server_addr; | |
22 fastcgi_param SERVER_PORT $server_port; | |
23 fastcgi_param SERVER_NAME $server_name; | |
24 | |
25 # PHP only, required if PHP was built with --enable-force-cgi-redirect | |
26 fastcgi_param REDIRECT_STATUS 200; |