Build error --with-debug; ECDHE key exchange TLS problem. [nginx 0.7.62]
mdounin at mdounin.ru
Wed Oct 7 14:27:16 MSD 2009
On Wed, Oct 07, 2009 at 01:25:55AM -0400, kyleb wrote:
> nginx version: 0.7.62
> OpenSSL version: 1.0.0-beta3
> Platform: Linux 2.6.18 x64
> * Short description of problem: *
> (a) nginx seems not to handle ephemeral DH key exchanges with EC. (kx=ECDHE, auth=ECDSA) Connection dies on handshake. (b) A build error in 0.7.62 seems to indicate that the problem is in nginx, and not an openssl misconfiguration on my part. =)
Yes, nginx does not support ECDHE. As far as I see this requires
elliptic curve to be specified to use for ephemeral ECDH keys,
which isn't done by nginx now.
No, build error with debug is unrelated. It's caused by
openssl's prototype change for SSL_get_current_cipher() which now
returns (const SSL_CIPHER *) instead of (SSL_CIPHER *) as in
> Note: nginx's error log reports *nothing* on the above s_client connection; so I tried to make a debug build...
There should be "[info] ... SSL_do_handshake() failed" message.
Note that it's at info level, you probably have to tune your
error_log level to see it.
More information about the nginx