freenginx-1.27.5
Maxim Dounin
mdounin at mdounin.ru
Thu Apr 10 13:34:25 UTC 2025
Hello!
On Thu, Apr 10, 2025 at 08:09:53AM +0300, Maxim Dounin wrote:
> On Wed, Apr 09, 2025 at 09:56:17PM +0200, A. Schulze via nginx wrote:
>
> > Am 08.04.25 um 17:50 schrieb Maxim Dounin:
> > > Changes with freenginx 1.27.5 08 Apr 2025
> > > ...
> >
> > Hello,
> >
> > I've build freenginx with the just releases openssl-3.5.0.
> > The new PQ key exchange is enabled in openssl-3.5 and freenginx use it without special configuration.
> > (the defaults for ssl_ecdh_curve are fine)
> >
> > But in the log, the variable 'ssl_curve' [1] still say only the numeric number 0x11ec
> > Firefox could name that key-exchange as "mlkem768x25519"
>
> The $ssl_curve variable uses SSL_get_negotiated_group() and then
> uses OBJ_nid2sn() as long as the group is known to OpenSSL.
>
> It looks like OpenSSL for some reason decided not to add NIDs for
> these groups - not sure why. Either it is just an omission which
> is going to be fixed, or the intention is to force users to move
> away from using NIDs to newer interfaces, such as
> SSL_get0_group_name() and SSL_group_to_name().
>
> I suspect this is just an omission and it will be eventually fixed
> in OpenSSL. (Just for the record, with BoringSSL the code just
> works and provides correct $ssl_curves name for X25519MLKEM768.)
For the record, here is the relevant OpenSSL issue:
https://github.com/openssl/openssl/issues/27137
It appears that the omission was indeed unintentional, but the
suggested solution is to switch to new interfaces.
[...]
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list