Mercurial > hg > nginx
view src/core/ngx_module.h @ 7360:8f25a44d9add
SSL: logging level of "no suitable key share".
The "no suitable key share" errors are reported by OpenSSL 1.1.1 when
using TLSv1.3 if there are no shared groups (that is, elliptic curves).
In particular, it is easy enough to trigger by using only a single
curve in ssl_ecdh_curve:
ssl_ecdh_curve secp384r1;
and using a different curve in the client:
openssl s_client -connect 127.0.0.1:443 -curves prime256v1
On the client side it is seen as "sslv3 alert handshake failure",
"SSL alert number 40":
0:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1528:SSL alert number 40
It can be also triggered with default ssl_ecdh_curve by using a curve
which is not in the default list (X25519, prime256v1, X448, secp521r1,
secp384r1):
openssl s_client -connect 127.0.0.1:8443 -curves brainpoolP512r1
Given that many clients hardcode prime256v1, these errors might become
a common problem with TLSv1.3 if ssl_ecdh_curve is redefined. Previously
this resulted in not using ECDH with such clients, but with TLSv1.3 it
is no longer possible and will result in a handshake failure.
The SSL_R_NO_SHARED_GROUP error is what BoringSSL returns in the same
situation.
Seen at:
https://serverfault.com/questions/932102/nginx-ssl-handshake-error-no-suitable-key-share
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Tue, 25 Sep 2018 13:59:53 +0300 |
| parents | e38e9c50a40e |
| children | ec2e6893caaa |
line wrap: on
line source
/* * Copyright (C) Igor Sysoev * Copyright (C) Maxim Dounin * Copyright (C) Nginx, Inc. */ #ifndef _NGX_MODULE_H_INCLUDED_ #define _NGX_MODULE_H_INCLUDED_ #include <ngx_config.h> #include <ngx_core.h> #include <nginx.h> #define NGX_MODULE_UNSET_INDEX (ngx_uint_t) -1 #define NGX_MODULE_SIGNATURE_0 \ ngx_value(NGX_PTR_SIZE) "," \ ngx_value(NGX_SIG_ATOMIC_T_SIZE) "," \ ngx_value(NGX_TIME_T_SIZE) "," #if (NGX_HAVE_KQUEUE) #define NGX_MODULE_SIGNATURE_1 "1" #else #define NGX_MODULE_SIGNATURE_1 "0" #endif #if (NGX_HAVE_IOCP) #define NGX_MODULE_SIGNATURE_2 "1" #else #define NGX_MODULE_SIGNATURE_2 "0" #endif #if (NGX_HAVE_FILE_AIO || NGX_COMPAT) #define NGX_MODULE_SIGNATURE_3 "1" #else #define NGX_MODULE_SIGNATURE_3 "0" #endif #if (NGX_HAVE_AIO_SENDFILE || NGX_COMPAT) #define NGX_MODULE_SIGNATURE_4 "1" #else #define NGX_MODULE_SIGNATURE_4 "0" #endif #if (NGX_HAVE_EVENTFD) #define NGX_MODULE_SIGNATURE_5 "1" #else #define NGX_MODULE_SIGNATURE_5 "0" #endif #if (NGX_HAVE_EPOLL) #define NGX_MODULE_SIGNATURE_6 "1" #else #define NGX_MODULE_SIGNATURE_6 "0" #endif #if (NGX_HAVE_KEEPALIVE_TUNABLE) #define NGX_MODULE_SIGNATURE_7 "1" #else #define NGX_MODULE_SIGNATURE_7 "0" #endif #if (NGX_HAVE_INET6) #define NGX_MODULE_SIGNATURE_8 "1" #else #define NGX_MODULE_SIGNATURE_8 "0" #endif #define NGX_MODULE_SIGNATURE_9 "1" #define NGX_MODULE_SIGNATURE_10 "1" #if (NGX_HAVE_DEFERRED_ACCEPT && defined SO_ACCEPTFILTER) #define NGX_MODULE_SIGNATURE_11 "1" #else #define NGX_MODULE_SIGNATURE_11 "0" #endif #define NGX_MODULE_SIGNATURE_12 "1" #if (NGX_HAVE_SETFIB) #define NGX_MODULE_SIGNATURE_13 "1" #else #define NGX_MODULE_SIGNATURE_13 "0" #endif #if (NGX_HAVE_TCP_FASTOPEN) #define NGX_MODULE_SIGNATURE_14 "1" #else #define NGX_MODULE_SIGNATURE_14 "0" #endif #if (NGX_HAVE_UNIX_DOMAIN) #define NGX_MODULE_SIGNATURE_15 "1" #else #define NGX_MODULE_SIGNATURE_15 "0" #endif #if (NGX_HAVE_VARIADIC_MACROS) #define NGX_MODULE_SIGNATURE_16 "1" #else #define NGX_MODULE_SIGNATURE_16 "0" #endif #define NGX_MODULE_SIGNATURE_17 "0" #define NGX_MODULE_SIGNATURE_18 "0" #if (NGX_HAVE_OPENAT) #define NGX_MODULE_SIGNATURE_19 "1" #else #define NGX_MODULE_SIGNATURE_19 "0" #endif #if (NGX_HAVE_ATOMIC_OPS) #define NGX_MODULE_SIGNATURE_20 "1" #else #define NGX_MODULE_SIGNATURE_20 "0" #endif #if (NGX_HAVE_POSIX_SEM) #define NGX_MODULE_SIGNATURE_21 "1" #else #define NGX_MODULE_SIGNATURE_21 "0" #endif #if (NGX_THREADS || NGX_COMPAT) #define NGX_MODULE_SIGNATURE_22 "1" #else #define NGX_MODULE_SIGNATURE_22 "0" #endif #if (NGX_PCRE) #define NGX_MODULE_SIGNATURE_23 "1" #else #define NGX_MODULE_SIGNATURE_23 "0" #endif #if (NGX_HTTP_SSL || NGX_COMPAT) #define NGX_MODULE_SIGNATURE_24 "1" #else #define NGX_MODULE_SIGNATURE_24 "0" #endif #define NGX_MODULE_SIGNATURE_25 "1" #if (NGX_HTTP_GZIP) #define NGX_MODULE_SIGNATURE_26 "1" #else #define NGX_MODULE_SIGNATURE_26 "0" #endif #define NGX_MODULE_SIGNATURE_27 "1" #if (NGX_HTTP_X_FORWARDED_FOR) #define NGX_MODULE_SIGNATURE_28 "1" #else #define NGX_MODULE_SIGNATURE_28 "0" #endif #if (NGX_HTTP_REALIP) #define NGX_MODULE_SIGNATURE_29 "1" #else #define NGX_MODULE_SIGNATURE_29 "0" #endif #if (NGX_HTTP_HEADERS) #define NGX_MODULE_SIGNATURE_30 "1" #else #define NGX_MODULE_SIGNATURE_30 "0" #endif #if (NGX_HTTP_DAV) #define NGX_MODULE_SIGNATURE_31 "1" #else #define NGX_MODULE_SIGNATURE_31 "0" #endif #if (NGX_HTTP_CACHE) #define NGX_MODULE_SIGNATURE_32 "1" #else #define NGX_MODULE_SIGNATURE_32 "0" #endif #if (NGX_HTTP_UPSTREAM_ZONE) #define NGX_MODULE_SIGNATURE_33 "1" #else #define NGX_MODULE_SIGNATURE_33 "0" #endif #if (NGX_COMPAT) #define NGX_MODULE_SIGNATURE_34 "1" #else #define NGX_MODULE_SIGNATURE_34 "0" #endif #define NGX_MODULE_SIGNATURE \ NGX_MODULE_SIGNATURE_0 NGX_MODULE_SIGNATURE_1 NGX_MODULE_SIGNATURE_2 \ NGX_MODULE_SIGNATURE_3 NGX_MODULE_SIGNATURE_4 NGX_MODULE_SIGNATURE_5 \ NGX_MODULE_SIGNATURE_6 NGX_MODULE_SIGNATURE_7 NGX_MODULE_SIGNATURE_8 \ NGX_MODULE_SIGNATURE_9 NGX_MODULE_SIGNATURE_10 NGX_MODULE_SIGNATURE_11 \ NGX_MODULE_SIGNATURE_12 NGX_MODULE_SIGNATURE_13 NGX_MODULE_SIGNATURE_14 \ NGX_MODULE_SIGNATURE_15 NGX_MODULE_SIGNATURE_16 NGX_MODULE_SIGNATURE_17 \ NGX_MODULE_SIGNATURE_18 NGX_MODULE_SIGNATURE_19 NGX_MODULE_SIGNATURE_20 \ NGX_MODULE_SIGNATURE_21 NGX_MODULE_SIGNATURE_22 NGX_MODULE_SIGNATURE_23 \ NGX_MODULE_SIGNATURE_24 NGX_MODULE_SIGNATURE_25 NGX_MODULE_SIGNATURE_26 \ NGX_MODULE_SIGNATURE_27 NGX_MODULE_SIGNATURE_28 NGX_MODULE_SIGNATURE_29 \ NGX_MODULE_SIGNATURE_30 NGX_MODULE_SIGNATURE_31 NGX_MODULE_SIGNATURE_32 \ NGX_MODULE_SIGNATURE_33 NGX_MODULE_SIGNATURE_34 #define NGX_MODULE_V1 \ NGX_MODULE_UNSET_INDEX, NGX_MODULE_UNSET_INDEX, \ NULL, 0, 0, nginx_version, NGX_MODULE_SIGNATURE #define NGX_MODULE_V1_PADDING 0, 0, 0, 0, 0, 0, 0, 0 struct ngx_module_s { ngx_uint_t ctx_index; ngx_uint_t index; char *name; ngx_uint_t spare0; ngx_uint_t spare1; ngx_uint_t version; const char *signature; void *ctx; ngx_command_t *commands; ngx_uint_t type; ngx_int_t (*init_master)(ngx_log_t *log); ngx_int_t (*init_module)(ngx_cycle_t *cycle); ngx_int_t (*init_process)(ngx_cycle_t *cycle); ngx_int_t (*init_thread)(ngx_cycle_t *cycle); void (*exit_thread)(ngx_cycle_t *cycle); void (*exit_process)(ngx_cycle_t *cycle); void (*exit_master)(ngx_cycle_t *cycle); uintptr_t spare_hook0; uintptr_t spare_hook1; uintptr_t spare_hook2; uintptr_t spare_hook3; uintptr_t spare_hook4; uintptr_t spare_hook5; uintptr_t spare_hook6; uintptr_t spare_hook7; }; typedef struct { ngx_str_t name; void *(*create_conf)(ngx_cycle_t *cycle); char *(*init_conf)(ngx_cycle_t *cycle, void *conf); } ngx_core_module_t; ngx_int_t ngx_preinit_modules(void); ngx_int_t ngx_cycle_modules(ngx_cycle_t *cycle); ngx_int_t ngx_init_modules(ngx_cycle_t *cycle); ngx_int_t ngx_count_modules(ngx_cycle_t *cycle, ngx_uint_t type); ngx_int_t ngx_add_module(ngx_conf_t *cf, ngx_str_t *file, ngx_module_t *module, char **order); extern ngx_module_t *ngx_modules[]; extern ngx_uint_t ngx_max_module; extern char *ngx_module_names[]; #endif /* _NGX_MODULE_H_INCLUDED_ */