Mercurial > hg > nginx
annotate auto/types/typedef @ 7418:ce5e87e98772 stable-1.14
SSL: logging level of "no suitable key share".
The "no suitable key share" errors are reported by OpenSSL 1.1.1 when
using TLSv1.3 if there are no shared groups (that is, elliptic curves).
In particular, it is easy enough to trigger by using only a single
curve in ssl_ecdh_curve:
ssl_ecdh_curve secp384r1;
and using a different curve in the client:
openssl s_client -connect 127.0.0.1:443 -curves prime256v1
On the client side it is seen as "sslv3 alert handshake failure",
"SSL alert number 40":
0:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1528:SSL alert number 40
It can be also triggered with default ssl_ecdh_curve by using a curve
which is not in the default list (X25519, prime256v1, X448, secp521r1,
secp384r1):
openssl s_client -connect 127.0.0.1:8443 -curves brainpoolP512r1
Given that many clients hardcode prime256v1, these errors might become
a common problem with TLSv1.3 if ssl_ecdh_curve is redefined. Previously
this resulted in not using ECDH with such clients, but with TLSv1.3 it
is no longer possible and will result in a handshake failure.
The SSL_R_NO_SHARED_GROUP error is what BoringSSL returns in the same
situation.
Seen at:
https://serverfault.com/questions/932102/nginx-ssl-handshake-error-no-suitable-key-share
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 25 Sep 2018 13:59:53 +0300 |
parents | e3faa5fb7772 |
children |
rev | line source |
---|---|
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
370
diff
changeset
|
1 |
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
370
diff
changeset
|
2 # Copyright (C) Igor Sysoev |
4412 | 3 # Copyright (C) Nginx, Inc. |
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
370
diff
changeset
|
4 |
195
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
193
diff
changeset
|
5 |
455 | 6 echo $ngx_n "checking for $ngx_type ...$ngx_c" |
7 | |
8 cat << END >> $NGX_AUTOCONF_ERR | |
193
dd66383796a5
nginx-0.0.1-2003-11-20-20:36:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
9 |
455 | 10 ---------------------------------------- |
11 checking for $ngx_type | |
210
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
196
diff
changeset
|
12 |
455 | 13 END |
14 | |
15 ngx_found=no | |
16 | |
17 for ngx_try in $ngx_type $ngx_types | |
195
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
193
diff
changeset
|
18 do |
210
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
196
diff
changeset
|
19 |
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
196
diff
changeset
|
20 cat << END > $NGX_AUTOTEST.c |
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
196
diff
changeset
|
21 |
370
54f76b0b8dca
nginx-0.0.7-2004-06-27-22:01:57 import
Igor Sysoev <igor@sysoev.ru>
parents:
279
diff
changeset
|
22 #include <sys/types.h> |
279
b79f021a644a
nginx-0.0.2-2004-03-04-19:34:23 import
Igor Sysoev <igor@sysoev.ru>
parents:
252
diff
changeset
|
23 #include <signal.h> |
210
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
196
diff
changeset
|
24 #include <sys/socket.h> |
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
196
diff
changeset
|
25 #include <sys/time.h> |
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
196
diff
changeset
|
26 #include <sys/resource.h> |
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
196
diff
changeset
|
27 #include <netinet/in.h> |
455 | 28 $NGX_INCLUDE_INTTYPES_H |
193
dd66383796a5
nginx-0.0.1-2003-11-20-20:36:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
29 |
6624
e3faa5fb7772
Configure: fix build with -Werror=old-style-definition.
Piotr Sikora <piotrsikora@google.com>
parents:
6499
diff
changeset
|
30 int main(void) { |
4559
62d8db8c7157
Fixed more gcc46 warnings in configure tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4543
diff
changeset
|
31 $ngx_try i = 0; |
62d8db8c7157
Fixed more gcc46 warnings in configure tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4543
diff
changeset
|
32 return (int) i; |
210
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
196
diff
changeset
|
33 } |
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
196
diff
changeset
|
34 |
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
196
diff
changeset
|
35 END |
193
dd66383796a5
nginx-0.0.1-2003-11-20-20:36:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
36 |
583 | 37 ngx_test="$CC $CC_TEST_FLAGS $CC_AUX_FLAGS \ |
38 -o $NGX_AUTOTEST $NGX_AUTOTEST.c $NGX_LD_OPT $ngx_feature_libs" | |
39 | |
455 | 40 eval "$ngx_test >> $NGX_AUTOCONF_ERR 2>&1" |
210
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
196
diff
changeset
|
41 |
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
196
diff
changeset
|
42 if [ -x $NGX_AUTOTEST ]; then |
455 | 43 if [ $ngx_try = $ngx_type ]; then |
210
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
196
diff
changeset
|
44 echo " found" |
455 | 45 ngx_found=yes |
195
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
193
diff
changeset
|
46 else |
455 | 47 echo ", $ngx_try used" |
48 ngx_found=$ngx_try | |
195
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
193
diff
changeset
|
49 fi |
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
193
diff
changeset
|
50 fi |
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
193
diff
changeset
|
51 |
455 | 52 if [ $ngx_found = no ]; then |
6499
e20bf454e58b
Configure: improved multiple types handling in auto/types/typedef.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6498
diff
changeset
|
53 if [ $ngx_try = $ngx_type ]; then |
e20bf454e58b
Configure: improved multiple types handling in auto/types/typedef.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6498
diff
changeset
|
54 echo $ngx_n " $ngx_try not found$ngx_c" |
e20bf454e58b
Configure: improved multiple types handling in auto/types/typedef.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6498
diff
changeset
|
55 else |
e20bf454e58b
Configure: improved multiple types handling in auto/types/typedef.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6498
diff
changeset
|
56 echo $ngx_n ", $ngx_try not found$ngx_c" |
e20bf454e58b
Configure: improved multiple types handling in auto/types/typedef.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6498
diff
changeset
|
57 fi |
193
dd66383796a5
nginx-0.0.1-2003-11-20-20:36:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
58 |
455 | 59 echo "----------" >> $NGX_AUTOCONF_ERR |
60 cat $NGX_AUTOTEST.c >> $NGX_AUTOCONF_ERR | |
61 echo "----------" >> $NGX_AUTOCONF_ERR | |
62 echo $ngx_test >> $NGX_AUTOCONF_ERR | |
63 echo "----------" >> $NGX_AUTOCONF_ERR | |
6498
82a76258a142
Configure: fixed autotest source code logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5309
diff
changeset
|
64 fi |
455 | 65 |
6498
82a76258a142
Configure: fixed autotest source code logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5309
diff
changeset
|
66 rm -rf $NGX_AUTOTEST* |
82a76258a142
Configure: fixed autotest source code logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5309
diff
changeset
|
67 |
82a76258a142
Configure: fixed autotest source code logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5309
diff
changeset
|
68 if [ $ngx_found != no ]; then |
195
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
193
diff
changeset
|
69 break |
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
193
diff
changeset
|
70 fi |
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
193
diff
changeset
|
71 done |
193
dd66383796a5
nginx-0.0.1-2003-11-20-20:36:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
72 |
455 | 73 if [ $ngx_found = no ]; then |
210
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
196
diff
changeset
|
74 echo |
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
196
diff
changeset
|
75 echo "$0: error: can not define $ngx_type" |
455 | 76 |
195
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
193
diff
changeset
|
77 exit 1 |
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
193
diff
changeset
|
78 fi |
193
dd66383796a5
nginx-0.0.1-2003-11-20-20:36:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
79 |
455 | 80 if [ $ngx_found != yes ]; then |
81 echo "typedef $ngx_found $ngx_type;" >> $NGX_AUTO_CONFIG_H | |
195
8dee38ea9117
nginx-0.0.1-2003-11-25-23:44:56 import
Igor Sysoev <igor@sysoev.ru>
parents:
193
diff
changeset
|
82 fi |