Hello! On Thu, Apr 10, 2025 at 08:09:53AM +0300, Maxim Dounin wrote:
> On Wed, Apr 09, 2025 at 09:56:17PM +0200, A. Schulze via nginx wrote: > > > Am 08.04.25 um 17:50 schrieb Maxim Dounin: > > > Changes with freenginx 1.27.5 08 Apr > > > 2025 > > > ... > > > > Hello, > > > > I've build freenginx with the just releases openssl-3.5.0. > > The new PQ key exchange is enabled in openssl-3.5 and freenginx use it > > without special configuration. > > (the defaults for ssl_ecdh_curve are fine) > > > > But in the log, the variable 'ssl_curve' [1] still say only the numeric > > number 0x11ec > > Firefox could name that key-exchange as "mlkem768x25519" > > The $ssl_curve variable uses SSL_get_negotiated_group() and then > uses OBJ_nid2sn() as long as the group is known to OpenSSL. > > It looks like OpenSSL for some reason decided not to add NIDs for > these groups - not sure why. Either it is just an omission which > is going to be fixed, or the intention is to force users to move > away from using NIDs to newer interfaces, such as > SSL_get0_group_name() and SSL_group_to_name(). > > I suspect this is just an omission and it will be eventually fixed > in OpenSSL. (Just for the record, with BoringSSL the code just > works and provides correct $ssl_curves name for X25519MLKEM768.) For the record, here is the relevant OpenSSL issue: https://github.com/openssl/openssl/issues/27137 It appears that the omission was indeed unintentional, but the suggested solution is to switch to new interfaces. [...] -- Maxim Dounin http://mdounin.ru/