#993 closed defect (wontfix)
support for X25519 in ssl_ecdh_curve
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | major | Milestone: | |
Component: | nginx-core | Version: | 1.11.x |
Keywords: | Cc: | ||
uname -a: | Linux cat 4.6.1 #1 SMP Thu Jun 2 13:07:39 CEST 2016 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.11.1
built by gcc 5.3.0 (Alpine 5.3.0) built with OpenSSL 1.0.2 (compatible; BoringSSL) (running with BoringSSL) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/sbin/nginx --with-cc-opt='-g -O3 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -I ../boringssl/.openssl/include/' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -L ../boringssl/.openssl/lib' --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-http_stub_status_module --with-file-aio --with-threads --with-pcre-jit --without-http_ssi_module --without-http_scgi_module --without-http_uwsgi_module --without-http_geo_module --without-http_autoindex_module --without-http_map_module --without-http_split_clients_module --without-http_memcached_module --without-http_empty_gif_module --without-http_browser_module --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --add-module=/tmp/ngx_brotli |
Description
I use nginx statically linked against BoringSSL, which supports X25519. But here is what I get when I set ssl_ecdh_curve to X25519 :
nginx: [emerg] EC_KEY_new_by_curve_name("X25519") failed (SSL: error:0f00007b:elliptic curve routines:OPENSSL_internal:UNKNOWN_GROUP)
nginx: configuration file /etc/nginx/conf/nginx.conf test failed
(It doesn't seem EC_KEY is used for X25519 in BoringSSL.)
Change History (2)
comment:1 by , 8 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
comment:2 by , 8 years ago
I already asked them, they replied that they removed it as they don't need it.
So now I clearly the understand the meaning of the project.
Version 0, edited 8 years ago by (next)
Note:
See TracTickets
for help on using tickets.
It looks like BoringSSL people took their own way of supporting elliptic curves. Good luck to them, but we have no plans to support BoringSSL-specific API changes. Attempts to do this in the past proved that this clause from BoringSSL's README is indeed true:
If you want to improve things, consider asking BoringSSL to implement SSL_CTX_set1_curves_list() interface instead.