Mercurial > hg > nginx
annotate auto/module @ 7418:ce5e87e98772 stable-1.14
SSL: logging level of "no suitable key share".
The "no suitable key share" errors are reported by OpenSSL 1.1.1 when
using TLSv1.3 if there are no shared groups (that is, elliptic curves).
In particular, it is easy enough to trigger by using only a single
curve in ssl_ecdh_curve:
ssl_ecdh_curve secp384r1;
and using a different curve in the client:
openssl s_client -connect 127.0.0.1:443 -curves prime256v1
On the client side it is seen as "sslv3 alert handshake failure",
"SSL alert number 40":
0:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1528:SSL alert number 40
It can be also triggered with default ssl_ecdh_curve by using a curve
which is not in the default list (X25519, prime256v1, X448, secp521r1,
secp384r1):
openssl s_client -connect 127.0.0.1:8443 -curves brainpoolP512r1
Given that many clients hardcode prime256v1, these errors might become
a common problem with TLSv1.3 if ssl_ecdh_curve is redefined. Previously
this resulted in not using ECDH with such clients, but with TLSv1.3 it
is no longer possible and will result in a handshake failure.
The SSL_R_NO_SHARED_GROUP error is what BoringSSL returns in the same
situation.
Seen at:
https://serverfault.com/questions/932102/nginx-ssl-handshake-error-no-suitable-key-share
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 25 Sep 2018 13:59:53 +0300 |
parents | 2c7a2d75938a |
children | 4b1299b1856a |
rev | line source |
---|---|
6382
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1 |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2 # Copyright (C) Ruslan Ermilov |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
3 # Copyright (C) Nginx, Inc. |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
4 |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
5 |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
6 case $ngx_module_type in |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
7 HTTP_*) ngx_var=HTTP ;; |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
8 *) ngx_var=$ngx_module_type ;; |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
9 esac |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
10 |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
11 |
6383 | 12 if [ "$ngx_module_link" = DYNAMIC ]; then |
13 | |
14 for ngx_module in $ngx_module_name; do | |
15 # extract the first name | |
16 break | |
17 done | |
18 | |
19 DYNAMIC_MODULES="$DYNAMIC_MODULES $ngx_module" | |
20 eval ${ngx_module}_SRCS=\"$ngx_module_srcs\" | |
21 | |
22 eval ${ngx_module}_MODULES=\"$ngx_module_name\" | |
23 | |
24 if [ -z "$ngx_module_order" -a \ | |
25 \( "$ngx_module_type" = "HTTP_FILTER" \ | |
26 -o "$ngx_module_type" = "HTTP_AUX_FILTER" \) ] | |
27 then | |
28 eval ${ngx_module}_ORDER=\"$ngx_module_name \ | |
29 ngx_http_copy_filter_module\" | |
30 else | |
31 eval ${ngx_module}_ORDER=\"$ngx_module_order\" | |
32 fi | |
33 | |
34 if test -n "$ngx_module_incs"; then | |
35 CORE_INCS="$CORE_INCS $ngx_module_incs" | |
36 fi | |
37 | |
6804
2c7a2d75938a
Configure: honor dependencies of dynamic modules.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6603
diff
changeset
|
38 if test -n "$ngx_module_deps"; then |
2c7a2d75938a
Configure: honor dependencies of dynamic modules.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6603
diff
changeset
|
39 NGX_ADDON_DEPS="$NGX_ADDON_DEPS $ngx_module_deps" |
2c7a2d75938a
Configure: honor dependencies of dynamic modules.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6603
diff
changeset
|
40 fi |
2c7a2d75938a
Configure: honor dependencies of dynamic modules.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6603
diff
changeset
|
41 |
6383 | 42 libs= |
43 for lib in $ngx_module_libs | |
44 do | |
45 case $lib in | |
46 | |
6419 | 47 LIBXSLT | LIBGD | GEOIP | PERL) |
6383 | 48 libs="$libs \$NGX_LIB_$lib" |
49 | |
50 if eval [ "\$USE_${lib}" = NO ] ; then | |
51 eval USE_${lib}=DYNAMIC | |
52 fi | |
53 ;; | |
54 | |
6603
9eefb38f0005
Internal md5 and sha1 implementations are now always used.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6419
diff
changeset
|
55 PCRE | OPENSSL | ZLIB) |
6383 | 56 eval USE_${lib}=YES |
57 ;; | |
58 | |
6603
9eefb38f0005
Internal md5 and sha1 implementations are now always used.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6419
diff
changeset
|
59 MD5 | SHA1) |
9eefb38f0005
Internal md5 and sha1 implementations are now always used.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6419
diff
changeset
|
60 # obsolete |
9eefb38f0005
Internal md5 and sha1 implementations are now always used.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6419
diff
changeset
|
61 ;; |
9eefb38f0005
Internal md5 and sha1 implementations are now always used.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6419
diff
changeset
|
62 |
6383 | 63 *) |
64 libs="$libs $lib" | |
65 ;; | |
66 | |
67 esac | |
68 done | |
69 eval ${ngx_module}_LIBS=\'$libs\' | |
70 | |
71 elif [ "$ngx_module_link" = YES ]; then | |
6382
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
72 |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
73 eval ${ngx_module_type}_MODULES=\"\$${ngx_module_type}_MODULES \ |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
74 $ngx_module_name\" |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
75 |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
76 eval ${ngx_var}_SRCS=\"\$${ngx_var}_SRCS $ngx_module_srcs\" |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
77 |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
78 if test -n "$ngx_module_incs"; then |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
79 eval ${ngx_var}_INCS=\"\$${ngx_var}_INCS $ngx_module_incs\" |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
80 fi |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
81 |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
82 if test -n "$ngx_module_deps"; then |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
83 eval ${ngx_var}_DEPS=\"\$${ngx_var}_DEPS $ngx_module_deps\" |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
84 fi |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
85 |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
86 for lib in $ngx_module_libs |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
87 do |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
88 case $lib in |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
89 |
6603
9eefb38f0005
Internal md5 and sha1 implementations are now always used.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6419
diff
changeset
|
90 PCRE | OPENSSL | ZLIB | LIBXSLT | LIBGD | PERL | GEOIP) |
6382
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
91 eval USE_${lib}=YES |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
92 ;; |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
93 |
6603
9eefb38f0005
Internal md5 and sha1 implementations are now always used.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6419
diff
changeset
|
94 MD5 | SHA1) |
9eefb38f0005
Internal md5 and sha1 implementations are now always used.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6419
diff
changeset
|
95 # obsolete |
9eefb38f0005
Internal md5 and sha1 implementations are now always used.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6419
diff
changeset
|
96 ;; |
9eefb38f0005
Internal md5 and sha1 implementations are now always used.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6419
diff
changeset
|
97 |
6382
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
98 *) |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
99 CORE_LIBS="$CORE_LIBS $lib" |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
100 ;; |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
101 |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
102 esac |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
103 done |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
104 |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
105 elif [ "$ngx_module_link" = ADDON ]; then |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
106 |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
107 eval ${ngx_module_type}_MODULES=\"\$${ngx_module_type}_MODULES \ |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
108 $ngx_module_name\" |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
109 |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
110 NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_module_srcs" |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
111 |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
112 if test -n "$ngx_module_incs"; then |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
113 eval ${ngx_var}_INCS=\"\$${ngx_var}_INCS $ngx_module_incs\" |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
114 fi |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
115 |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
116 if test -n "$ngx_module_deps"; then |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
117 NGX_ADDON_DEPS="$NGX_ADDON_DEPS $ngx_module_deps" |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
118 fi |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
119 |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
120 for lib in $ngx_module_libs |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
121 do |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
122 case $lib in |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
123 |
6603
9eefb38f0005
Internal md5 and sha1 implementations are now always used.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6419
diff
changeset
|
124 PCRE | OPENSSL | ZLIB | LIBXSLT | LIBGD | PERL | GEOIP) |
6382
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
125 eval USE_${lib}=YES |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
126 ;; |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
127 |
6603
9eefb38f0005
Internal md5 and sha1 implementations are now always used.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6419
diff
changeset
|
128 MD5 | SHA1) |
9eefb38f0005
Internal md5 and sha1 implementations are now always used.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6419
diff
changeset
|
129 # obsolete |
9eefb38f0005
Internal md5 and sha1 implementations are now always used.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6419
diff
changeset
|
130 ;; |
9eefb38f0005
Internal md5 and sha1 implementations are now always used.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6419
diff
changeset
|
131 |
6382
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
132 *) |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
133 CORE_LIBS="$CORE_LIBS $lib" |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
134 ;; |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
135 |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
136 esac |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
137 done |
392959224560
Dynamic modules: auto/module script.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
138 fi |