Welcome! Log In Create A New Profile

Advanced

Re: Add support for PSK cipher suites patch

January 26, 2018 03:56AM
Nate,

In the meanwhile I followed the thread and actually found your revised
patches. I was able to apply them successfully.

I realised I didn't ran configure with the --with-http-ssl flag (since I
don't use http) when building nginx. This explains why the ssl_psk_file was
not recognized. After building http module, the parameter was recognized
properly.

However, since I use stream and not http, I'll not be able to test this
patch since it only wotks for ssl http module.

Regarding the PSK, in a DTLS use case I prefer loading the PSK file on
startup in an in-memory store for example. Then, if some keys are to be
changed while the server is running, the in-memory store is refreshed
without stopping the server (think SIGHUP or reload). This avoid all
clients being disconnected when the server is restarted to reload the PSK
file.

Would any progress being made on this on the stream module I'll be able to
give it a try.

Thank you !


2018-01-26 5:14 GMT+01:00 Karstens, Nate <Nate.Karstens@garmin.com>:

> Sékine,
>
>
>
> The link you sent is old, the latest set of patches is here:
>
>
>
> http://mailman.nginx.org/pipermail/nginx-devel/2017-September/010460.html
>
>
>
> Does that improve things?
>
>
>
> These were developed using TLS, not DTLS. I don’t have any experience with
> DTLS, so that might be unrelated.
>
>
>
> One of the conversations we had earlier in the development process was
> choosing between two different approaches to managing the PSK file:
>
>
>
> 1. The PSK file may be updated as needed (so it must be readable by
> the worker threads). This is the approach used with the current patches.
> 2. The PSK file is read into memory once at startup by the master
> process. This allows the file permissions to be read only for root, but
> requires the config file to be refreshed if the PSK file is changed.
>
>
>
> Would you mind providing feedback on which approach works better for your
> environment, and why? Sending it to the mailing list is preferred, or you
> can just reply to this email.
>
>
>
> Thanks,
>
>
>
> Nate
>
>
>
> *From:* Sékine Coulibaly [mailto:scoulibaly@gmail.com]
> *Sent:* Thursday, January 25, 2018 10:23 AM
> *To:* Karstens, Nate <Nate.Karstens@garmin.com>; mdounin@mdounin.ru
> *Subject:* Fwd: Add support for PSK cipher suites patch
>
>
>
>
>
> ---------- Forwarded message ----------
> From: *Sékine Coulibaly* <scoulibaly@gmail.com>
> Date: 2018-01-25 17:07 GMT+01:00
> Subject: Add support for PSK cipher suites patch
> To: nginx@nginx.org
>
> Nate,Maxim,
>
> I found a patch here (http://mailman.nginx.org/pipermail/nginx-devel/2017-September/010449.html) regarding the PSK spport in Nginx. I can not make the new parameter ssl_psk_file work.
>
> I applied it to release-1.13.5 successfully.
>
> I updated my nginx.conf to
>
> stream {
>
> upstream dtls_udp_upstreams {
>
> hash $remote_addr:remote_port;
>
> server preprod.mycorp.com:5685;
>
> }
>
>
>
>
>
> server {
>
> listen 5684 udp ssl;
>
> ssl_protocols DTLSv1.2;
>
> ssl_ciphers PSK-AES128-CBC-SHA;
>
> ssl_psk_file /tmp/cred.txt;
>
> ssl_certificate /tmp/server.pem;
>
> ssl_certificate_key /tmp/server.key;
>
> proxy_pass dtls_udp_upstreams;
>
> }
>
>
>
> My issue is that although /tmp/cred.txt file exists, Nginx returns :
>
> nginx: [emerg] unknown directive "ssl_psk_file" in /tmp/nginx.conf:26.
>
>
>
> I checked the source files, it looks like the patch has been correctly applied.
>
> Would you mind posting the complete/corrected patch I could apply and test ?
>
> I'm using DTLS client with PSK load-balancer and I could experiment the setup.
>
>
>
> My patching application looks like :
>
> git checkout release-1.13.5
>
> patch -p1 -i pskpatch.diff
>
>
>
> Thank you !
>
>
>
> ------------------------------
>
> CONFIDENTIALITY NOTICE: This email and any attachments are for the sole
> use of the intended recipient(s) and contain information that may be Garmin
> confidential and/or Garmin legally privileged. If you have received this
> email in error, please notify the sender by reply email and delete the
> message. Any disclosure, copying, distribution or use of this communication
> (including attachments) by someone other than the intended recipient is
> prohibited. Thank you.
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Add support for PSK cipher suites patch

scoulibaly January 25, 2018 11:10AM

Re: Add support for PSK cipher suites patch

Maxim Dounin January 25, 2018 11:28AM

Re: Add support for PSK cipher suites patch

scoulibaly January 26, 2018 03:56AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 70
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready