Mercurial > hg > nginx
annotate auto/endianness @ 7418:ce5e87e98772 stable-1.14
SSL: logging level of "no suitable key share".
The "no suitable key share" errors are reported by OpenSSL 1.1.1 when
using TLSv1.3 if there are no shared groups (that is, elliptic curves).
In particular, it is easy enough to trigger by using only a single
curve in ssl_ecdh_curve:
ssl_ecdh_curve secp384r1;
and using a different curve in the client:
openssl s_client -connect 127.0.0.1:443 -curves prime256v1
On the client side it is seen as "sslv3 alert handshake failure",
"SSL alert number 40":
0:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1528:SSL alert number 40
It can be also triggered with default ssl_ecdh_curve by using a curve
which is not in the default list (X25519, prime256v1, X448, secp521r1,
secp384r1):
openssl s_client -connect 127.0.0.1:8443 -curves brainpoolP512r1
Given that many clients hardcode prime256v1, these errors might become
a common problem with TLSv1.3 if ssl_ecdh_curve is redefined. Previously
this resulted in not using ECDH with such clients, but with TLSv1.3 it
is no longer possible and will result in a handshake failure.
The SSL_R_NO_SHARED_GROUP error is what BoringSSL returns in the same
situation.
Seen at:
https://serverfault.com/questions/932102/nginx-ssl-handshake-error-no-suitable-key-share
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Tue, 25 Sep 2018 13:59:53 +0300 |
| parents | e3faa5fb7772 |
| children |
| rev | line source |
|---|---|
|
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
370
diff
changeset
|
1 |
|
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
370
diff
changeset
|
2 # Copyright (C) Igor Sysoev |
| 4412 | 3 # Copyright (C) Nginx, Inc. |
|
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
370
diff
changeset
|
4 |
|
370
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
5 |
|
4681
bb37a9cc08fb
Fixed spelling of "endianness", and called it "byte ordering" in the
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
6 echo $ngx_n "checking for system byte ordering ...$ngx_c" |
|
6269
7ec809b579d7
Configure: style fixes for autoconf.err.
Piotr Sikora <piotrsikora@google.com>
parents:
5309
diff
changeset
|
7 |
|
7ec809b579d7
Configure: style fixes for autoconf.err.
Piotr Sikora <piotrsikora@google.com>
parents:
5309
diff
changeset
|
8 cat << END >> $NGX_AUTOCONF_ERR |
|
7ec809b579d7
Configure: style fixes for autoconf.err.
Piotr Sikora <piotrsikora@google.com>
parents:
5309
diff
changeset
|
9 |
|
7ec809b579d7
Configure: style fixes for autoconf.err.
Piotr Sikora <piotrsikora@google.com>
parents:
5309
diff
changeset
|
10 ---------------------------------------- |
|
7ec809b579d7
Configure: style fixes for autoconf.err.
Piotr Sikora <piotrsikora@google.com>
parents:
5309
diff
changeset
|
11 checking for system byte ordering |
|
7ec809b579d7
Configure: style fixes for autoconf.err.
Piotr Sikora <piotrsikora@google.com>
parents:
5309
diff
changeset
|
12 |
|
7ec809b579d7
Configure: style fixes for autoconf.err.
Piotr Sikora <piotrsikora@google.com>
parents:
5309
diff
changeset
|
13 END |
|
370
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
14 |
|
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
15 |
|
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
16 cat << END > $NGX_AUTOTEST.c |
|
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
17 |
|
6624
e3faa5fb7772
Configure: fix build with -Werror=old-style-definition.
Piotr Sikora <piotrsikora@google.com>
parents:
6269
diff
changeset
|
18 int main(void) { |
|
370
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
19 int i = 0x11223344; |
|
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
20 char *p; |
|
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
21 |
|
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
22 p = (char *) &i; |
|
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
23 if (*p == 0x44) return 0; |
|
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
24 return 1; |
|
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
25 } |
|
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
26 |
|
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
27 END |
|
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
28 |
| 583 | 29 ngx_test="$CC $CC_TEST_FLAGS $CC_AUX_FLAGS \ |
| 577 | 30 -o $NGX_AUTOTEST $NGX_AUTOTEST.c $NGX_LD_OPT $ngx_feature_libs" |
| 31 | |
| 32 eval "$ngx_test >> $NGX_AUTOCONF_ERR 2>&1" | |
|
370
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
33 |
|
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
34 if [ -x $NGX_AUTOTEST ]; then |
| 703 | 35 if $NGX_AUTOTEST >/dev/null 2>&1; then |
|
4681
bb37a9cc08fb
Fixed spelling of "endianness", and called it "byte ordering" in the
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
36 echo " little endian" |
| 469 | 37 have=NGX_HAVE_LITTLE_ENDIAN . auto/have |
|
370
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
38 else |
|
4681
bb37a9cc08fb
Fixed spelling of "endianness", and called it "byte ordering" in the
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
39 echo " big endian" |
|
370
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
40 fi |
|
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
41 |
|
5309
434548349838
Configure: fixed autotest cleanup commands.
Sergey Kandaurov <pluknet@nginx.com>
parents:
4681
diff
changeset
|
42 rm -rf $NGX_AUTOTEST* |
|
370
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
43 |
|
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
44 else |
|
5309
434548349838
Configure: fixed autotest cleanup commands.
Sergey Kandaurov <pluknet@nginx.com>
parents:
4681
diff
changeset
|
45 rm -rf $NGX_AUTOTEST* |
|
370
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
46 |
|
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
47 echo |
|
4681
bb37a9cc08fb
Fixed spelling of "endianness", and called it "byte ordering" in the
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
48 echo "$0: error: cannot detect system byte ordering" |
|
370
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
49 exit 1 |
|
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
50 fi |