[Pkg-nginx-maintainers] Bug#846085: nginx-light: "ssl_ecdh_curve X25519" doesn't work
Piotr Engelking
inkerman42 at gmail.com
Mon Nov 28 11:38:37 UTC 2016
Package: nginx-light
Version: 1.10.2-2
Severity: normal
Tags: security
Using:
ssl_ecdh_curve X25519;
in /etc/nginx/sites-available/<host> results in nginx refusing to start with
the following error:
Unable to create curve "X25519" (SSL: error:100AE081:elliptic curve
routines:EC_GROUP _new_by_curve_name:unknown group)
Using:
ssl_ecdh_curve x25519;
results in nginx refusing to start with the following error:
Unknown curve name "x25519" (SSL:)
The bug is probably caused by nginx not accounting for OpenSSL using a
different API for x25519 and for other elliptic curves.
In absence of specific choice, nginx uses the default OpenSSL elliptic curve
list, which as of OpenSSL 1.1.0c includes the secp256r1, secp384r1, and
secp521r1 curves, known to be possibly backdoored.
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (800, 'testing'), (700, 'unstable'), (600, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages nginx-light depends on:
ii libc6 2.24-5
ii libnginx-mod-http-echo 1.10.2-2
ii libpcre3 2:8.39-2
ii libssl1.1 1.1.0c-2
ii nginx-common 1.10.2-2
ii zlib1g 1:1.2.8.dfsg-2+b3
nginx-light recommends no packages.
Versions of packages nginx-light suggests:
ii nginx-doc 1.10.2-2
-- no debconf information
More information about the Pkg-nginx-maintainers
mailing list