Build error --with-debug; ECDHE key exchange TLS problem. [nginx 0.7.62]

Maxim Dounin mdounin at mdounin.ru
Wed Oct 7 14:27:16 MSD 2009


Hello!

On Wed, Oct 07, 2009 at 01:25:55AM -0400, kyleb wrote:

> nginx version: 0.7.62
> OpenSSL version: 1.0.0-beta3
> Platform: Linux 2.6.18 x64
> 
> * Short description of problem: *
> 
> (a) nginx seems not to handle ephemeral DH key exchanges with EC.  (kx=ECDHE, auth=ECDSA)  Connection dies on handshake.  (b) A build error in 0.7.62 seems to indicate that the problem is in nginx, and not an openssl misconfiguration on my part. =)

Yes, nginx does not support ECDHE.  As far as I see this requires 
elliptic curve to be specified to use for ephemeral ECDH keys, 
which isn't done by nginx now.

No, build error with debug is unrelated.  It's caused by 
openssl's prototype change for SSL_get_current_cipher() which now 
returns (const SSL_CIPHER *) instead of (SSL_CIPHER *) as in 
previous versions.

[...]

> Note:  nginx's error log reports *nothing* on the above s_client connection; so I tried to make a debug build...

There should be "[info] ... SSL_do_handshake() failed" message.  
Note that it's at info level, you probably have to tune your 
error_log level to see it.

Maxim Dounin





More information about the nginx mailing list