[Pkg-nginx-maintainers] Bug#846085: Bug#846085: nginx-light: "ssl_ecdh_curve X25519" doesn't work

Christos Trochalakis ctrochalakis at debian.org
Tue Nov 29 10:56:39 UTC 2016 

Hello Piotr,

I am not really familiar with EC, and before digging deeper I am CCing
Kurt, one of the OpenSSL maintainers, who can shed some light into the
issue.

On Mon, Nov 28, 2016 at 12:38:37PM +0100, Piotr Engelking wrote:
>Package: nginx-light
>Version: 1.10.2-2
>Severity: normal
>Tags: security
>
>Using:
>
>  ssl_ecdh_curve X25519;
>
>in /etc/nginx/sites-available/<host> results in nginx refusing to start with
>the following error:
>
>  Unable to create curve "X25519" (SSL: error:100AE081:elliptic curve
>  routines:EC_GROUP _new_by_curve_name:unknown group)
>
>Using:
>
>  ssl_ecdh_curve x25519;
>
>results in nginx refusing to start with the following error:
>
>  Unknown curve name "x25519" (SSL:)
>
>The bug is probably caused by nginx not accounting for OpenSSL using a
>different API for x25519 and for other elliptic curves.
>
>In absence of specific choice, nginx uses the default OpenSSL elliptic curve
>list, which as of OpenSSL 1.1.0c includes the secp256r1, secp384r1, and
>secp521r1 curves, known to be possibly backdoored.
>
>
>-- System Information:
>Debian Release: stretch/sid
>  APT prefers testing
>  APT policy: (800, 'testing'), (700, 'unstable'), (600, 'experimental')
>Architecture: amd64 (x86_64)
>Foreign Architectures: i386
>
>Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores)
>Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
>Shell: /bin/sh linked to /bin/dash
>Init: systemd (via /run/systemd/system)
>
>Versions of packages nginx-light depends on:
>ii  libc6                   2.24-5
>ii  libnginx-mod-http-echo  1.10.2-2
>ii  libpcre3                2:8.39-2
>ii  libssl1.1               1.1.0c-2
>ii  nginx-common            1.10.2-2
>ii  zlib1g                  1:1.2.8.dfsg-2+b3
>
>nginx-light recommends no packages.
>
>Versions of packages nginx-light suggests:
>ii  nginx-doc  1.10.2-2
>
>-- no debconf information
>
>_______________________________________________
>Pkg-nginx-maintainers mailing list
>Pkg-nginx-maintainers at lists.alioth.debian.org
>https://lists.alioth.debian.org/mailman/listinfo/pkg-nginx-maintainers

More information about the Pkg-nginx-maintainers mailing list