Mercurial > hg > nginx
annotate src/core/ngx_core.h @ 7360:8f25a44d9add
SSL: logging level of "no suitable key share".
The "no suitable key share" errors are reported by OpenSSL 1.1.1 when
using TLSv1.3 if there are no shared groups (that is, elliptic curves).
In particular, it is easy enough to trigger by using only a single
curve in ssl_ecdh_curve:
ssl_ecdh_curve secp384r1;
and using a different curve in the client:
openssl s_client -connect 127.0.0.1:443 -curves prime256v1
On the client side it is seen as "sslv3 alert handshake failure",
"SSL alert number 40":
0:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1528:SSL alert number 40
It can be also triggered with default ssl_ecdh_curve by using a curve
which is not in the default list (X25519, prime256v1, X448, secp521r1,
secp384r1):
openssl s_client -connect 127.0.0.1:8443 -curves brainpoolP512r1
Given that many clients hardcode prime256v1, these errors might become
a common problem with TLSv1.3 if ssl_ecdh_curve is redefined. Previously
this resulted in not using ECDH with such clients, but with TLSv1.3 it
is no longer possible and will result in a handshake failure.
The SSL_R_NO_SHARED_GROUP error is what BoringSSL returns in the same
situation.
Seen at:
https://serverfault.com/questions/932102/nginx-ssl-handshake-error-no-suitable-key-share
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 25 Sep 2018 13:59:53 +0300 |
parents | d27aa9060c95 |
children | 06b01840bd42 |
rev | line source |
---|---|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
414
diff
changeset
|
1 |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
414
diff
changeset
|
2 /* |
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
441
diff
changeset
|
3 * Copyright (C) Igor Sysoev |
4412 | 4 * Copyright (C) Nginx, Inc. |
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
414
diff
changeset
|
5 */ |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
414
diff
changeset
|
6 |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
414
diff
changeset
|
7 |
4
c5f071d376e5
nginx-0.0.1-2002-08-22-19:24:03 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
8 #ifndef _NGX_CORE_H_INCLUDED_ |
c5f071d376e5
nginx-0.0.1-2002-08-22-19:24:03 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
9 #define _NGX_CORE_H_INCLUDED_ |
c5f071d376e5
nginx-0.0.1-2002-08-22-19:24:03 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
10 |
c5f071d376e5
nginx-0.0.1-2002-08-22-19:24:03 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
11 |
6106
cb790d1b2d16
Core: ensure that ngx_config.h is always included first.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6101
diff
changeset
|
12 #include <ngx_config.h> |
cb790d1b2d16
Core: ensure that ngx_config.h is always included first.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6101
diff
changeset
|
13 |
cb790d1b2d16
Core: ensure that ngx_config.h is always included first.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6101
diff
changeset
|
14 |
6735
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6733
diff
changeset
|
15 typedef struct ngx_module_s ngx_module_t; |
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6733
diff
changeset
|
16 typedef struct ngx_conf_s ngx_conf_t; |
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6733
diff
changeset
|
17 typedef struct ngx_cycle_s ngx_cycle_t; |
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6733
diff
changeset
|
18 typedef struct ngx_pool_s ngx_pool_t; |
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6733
diff
changeset
|
19 typedef struct ngx_chain_s ngx_chain_t; |
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6733
diff
changeset
|
20 typedef struct ngx_log_s ngx_log_t; |
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6733
diff
changeset
|
21 typedef struct ngx_open_file_s ngx_open_file_t; |
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6733
diff
changeset
|
22 typedef struct ngx_command_s ngx_command_t; |
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6733
diff
changeset
|
23 typedef struct ngx_file_s ngx_file_t; |
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6733
diff
changeset
|
24 typedef struct ngx_event_s ngx_event_t; |
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6733
diff
changeset
|
25 typedef struct ngx_event_aio_s ngx_event_aio_t; |
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6733
diff
changeset
|
26 typedef struct ngx_connection_s ngx_connection_t; |
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6733
diff
changeset
|
27 typedef struct ngx_thread_task_s ngx_thread_task_t; |
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6733
diff
changeset
|
28 typedef struct ngx_ssl_s ngx_ssl_t; |
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6733
diff
changeset
|
29 typedef struct ngx_ssl_connection_s ngx_ssl_connection_t; |
7286 | 30 typedef struct ngx_udp_connection_s ngx_udp_connection_t; |
6018
466bd63b63d1
Thread pools implementation.
Valentin Bartenev <vbart@nginx.com>
parents:
5702
diff
changeset
|
31 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
32 typedef void (*ngx_event_handler_pt)(ngx_event_t *ev); |
547 | 33 typedef void (*ngx_connection_handler_pt)(ngx_connection_t *c); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
34 |
186
c1f3a3c7c5db
nginx-0.0.1-2003-11-17-00:49:42 import
Igor Sysoev <igor@sysoev.ru>
parents:
183
diff
changeset
|
35 |
370
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
365
diff
changeset
|
36 #define NGX_OK 0 |
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
365
diff
changeset
|
37 #define NGX_ERROR -1 |
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
365
diff
changeset
|
38 #define NGX_AGAIN -2 |
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
365
diff
changeset
|
39 #define NGX_BUSY -3 |
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
365
diff
changeset
|
40 #define NGX_DONE -4 |
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
365
diff
changeset
|
41 #define NGX_DECLINED -5 |
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
365
diff
changeset
|
42 #define NGX_ABORT -6 |
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
365
diff
changeset
|
43 |
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
365
diff
changeset
|
44 |
559 | 45 #include <ngx_errno.h> |
212
679f60139863
nginx-0.0.1-2003-12-19-11:15:11 import
Igor Sysoev <igor@sysoev.ru>
parents:
208
diff
changeset
|
46 #include <ngx_atomic.h> |
559 | 47 #include <ngx_thread.h> |
557 | 48 #include <ngx_rbtree.h> |
186
c1f3a3c7c5db
nginx-0.0.1-2003-11-17-00:49:42 import
Igor Sysoev <igor@sysoev.ru>
parents:
183
diff
changeset
|
49 #include <ngx_time.h> |
c1f3a3c7c5db
nginx-0.0.1-2003-11-17-00:49:42 import
Igor Sysoev <igor@sysoev.ru>
parents:
183
diff
changeset
|
50 #include <ngx_socket.h> |
2234
c7c319896bb4
*) autoconfigure struct dirent capabilities
Igor Sysoev <igor@sysoev.ru>
parents:
1650
diff
changeset
|
51 #include <ngx_string.h> |
c7c319896bb4
*) autoconfigure struct dirent capabilities
Igor Sysoev <igor@sysoev.ru>
parents:
1650
diff
changeset
|
52 #include <ngx_files.h> |
605 | 53 #include <ngx_shmem.h> |
186
c1f3a3c7c5db
nginx-0.0.1-2003-11-17-00:49:42 import
Igor Sysoev <igor@sysoev.ru>
parents:
183
diff
changeset
|
54 #include <ngx_process.h> |
278
0ba4821f4460
nginx-0.0.2-2004-03-04-10:04:55 import
Igor Sysoev <igor@sysoev.ru>
parents:
276
diff
changeset
|
55 #include <ngx_user.h> |
6380
7142b04337d6
Dynamic modules: dlopen() support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6378
diff
changeset
|
56 #include <ngx_dlopen.h> |
157
70b36c805682
nginx-0.0.1-2003-10-23-19:54:19 import
Igor Sysoev <igor@sysoev.ru>
parents:
148
diff
changeset
|
57 #include <ngx_parse.h> |
6180
8b6fa4842133
Moved ngx_http_parse_time() to core, renamed accordingly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6106
diff
changeset
|
58 #include <ngx_parse_time.h> |
91
637625a2acdb
nginx-0.0.1-2003-05-19-20:39:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
71
diff
changeset
|
59 #include <ngx_log.h> |
637625a2acdb
nginx-0.0.1-2003-05-19-20:39:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
71
diff
changeset
|
60 #include <ngx_alloc.h> |
346
55e496a8ece3
nginx-0.0.3-2004-06-06-23:49:18 import
Igor Sysoev <igor@sysoev.ru>
parents:
343
diff
changeset
|
61 #include <ngx_palloc.h> |
343
6bdf858bff8c
nginx-0.0.3-2004-05-28-19:49:23 import; rename ngx_hunk_t to ngx_buf_t
Igor Sysoev <igor@sysoev.ru>
parents:
340
diff
changeset
|
62 #include <ngx_buf.h> |
1646 | 63 #include <ngx_queue.h> |
91
637625a2acdb
nginx-0.0.1-2003-05-19-20:39:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
71
diff
changeset
|
64 #include <ngx_array.h> |
414
388a842cbbe1
nginx-0.0.10-2004-09-03-19:50:30 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
65 #include <ngx_list.h> |
507 | 66 #include <ngx_hash.h> |
91
637625a2acdb
nginx-0.0.1-2003-05-19-20:39:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
71
diff
changeset
|
67 #include <ngx_file.h> |
201
267ea1d98683
nginx-0.0.1-2003-11-30-23:03:18 import
Igor Sysoev <igor@sysoev.ru>
parents:
195
diff
changeset
|
68 #include <ngx_crc.h> |
790 | 69 #include <ngx_crc32.h> |
3891 | 70 #include <ngx_murmurhash.h> |
455 | 71 #if (NGX_PCRE) |
195
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
191
diff
changeset
|
72 #include <ngx_regex.h> |
212
679f60139863
nginx-0.0.1-2003-12-19-11:15:11 import
Igor Sysoev <igor@sysoev.ru>
parents:
208
diff
changeset
|
73 #endif |
485 | 74 #include <ngx_radix_tree.h> |
178
a8ff48d26cca
nginx-0.0.1-2003-11-11-00:09:22 import
Igor Sysoev <igor@sysoev.ru>
parents:
157
diff
changeset
|
75 #include <ngx_times.h> |
6101 | 76 #include <ngx_rwlock.h> |
611 | 77 #include <ngx_shmtx.h> |
860
201d017ea470
slab allocator in shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
806
diff
changeset
|
78 #include <ngx_slab.h> |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
884
diff
changeset
|
79 #include <ngx_inet.h> |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
884
diff
changeset
|
80 #include <ngx_cycle.h> |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4477
diff
changeset
|
81 #include <ngx_resolver.h> |
651 | 82 #if (NGX_OPENSSL) |
83 #include <ngx_event_openssl.h> | |
84 #endif | |
278
0ba4821f4460
nginx-0.0.2-2004-03-04-10:04:55 import
Igor Sysoev <igor@sysoev.ru>
parents:
276
diff
changeset
|
85 #include <ngx_process_cycle.h> |
91
637625a2acdb
nginx-0.0.1-2003-05-19-20:39:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
71
diff
changeset
|
86 #include <ngx_conf_file.h> |
6378
0f203a2af17c
Dynamic modules: moved module-related stuff to separate files.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6180
diff
changeset
|
87 #include <ngx_module.h> |
1453 | 88 #include <ngx_open_file_cache.h> |
183
4c698194c56d
nginx-0.0.1-2003-11-13-19:16:33 import
Igor Sysoev <igor@sysoev.ru>
parents:
178
diff
changeset
|
89 #include <ngx_os.h> |
91
637625a2acdb
nginx-0.0.1-2003-05-19-20:39:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
71
diff
changeset
|
90 #include <ngx_connection.h> |
5702
777202558122
Added syslog support for error_log and access_log directives.
Vladimir Homutov <vl@nginx.com>
parents:
5684
diff
changeset
|
91 #include <ngx_syslog.h> |
5605
3a72b1805c52
Added server-side support for PROXY protocol v1 (ticket #355).
Roman Arutyunyan <arut@nginx.com>
parents:
5125
diff
changeset
|
92 #include <ngx_proxy_protocol.h> |
91
637625a2acdb
nginx-0.0.1-2003-05-19-20:39:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
71
diff
changeset
|
93 |
637625a2acdb
nginx-0.0.1-2003-05-19-20:39:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
71
diff
changeset
|
94 |
5684
bc98b0f11bdd
Core: use '\r' for CR and '\n' for LF definitions.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
95 #define LF (u_char) '\n' |
bc98b0f11bdd
Core: use '\r' for CR and '\n' for LF definitions.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
96 #define CR (u_char) '\r' |
bc98b0f11bdd
Core: use '\r' for CR and '\n' for LF definitions.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
97 #define CRLF "\r\n" |
93
738fe44c70d5
nginx-0.0.1-2003-05-21-17:28:21 import
Igor Sysoev <igor@sysoev.ru>
parents:
92
diff
changeset
|
98 |
738fe44c70d5
nginx-0.0.1-2003-05-21-17:28:21 import
Igor Sysoev <igor@sysoev.ru>
parents:
92
diff
changeset
|
99 |
3325 | 100 #define ngx_abs(value) (((value) >= 0) ? (value) : - (value)) |
101 #define ngx_max(val1, val2) ((val1 < val2) ? (val2) : (val1)) | |
3329 | 102 #define ngx_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) |
557 | 103 |
611 | 104 void ngx_cpuinfo(void); |
105 | |
4477
7033faf6dc3c
Added disable_symlinks directive.
Andrey Belov <defan@nginx.com>
parents:
4412
diff
changeset
|
106 #if (NGX_HAVE_OPENAT) |
7033faf6dc3c
Added disable_symlinks directive.
Andrey Belov <defan@nginx.com>
parents:
4412
diff
changeset
|
107 #define NGX_DISABLE_SYMLINKS_OFF 0 |
7033faf6dc3c
Added disable_symlinks directive.
Andrey Belov <defan@nginx.com>
parents:
4412
diff
changeset
|
108 #define NGX_DISABLE_SYMLINKS_ON 1 |
7033faf6dc3c
Added disable_symlinks directive.
Andrey Belov <defan@nginx.com>
parents:
4412
diff
changeset
|
109 #define NGX_DISABLE_SYMLINKS_NOTOWNER 2 |
7033faf6dc3c
Added disable_symlinks directive.
Andrey Belov <defan@nginx.com>
parents:
4412
diff
changeset
|
110 #endif |
557 | 111 |
4
c5f071d376e5
nginx-0.0.1-2002-08-22-19:24:03 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
112 #endif /* _NGX_CORE_H_INCLUDED_ */ |