Welcome! Log In Create A New Profile

Advanced

Re: RFC: PolarSSL support.

Previous Message Next Message
Forum List Message List New Topic Print View
Yawning
February 17, 2013 08:22AM
Hello,

The diff containing my first pass implementation is available at:
http://www.schwanenlied.me/yawning/nginx/nginx-1.3.12-polarssl-20130217.diff.gz

Behavioral differences:
* ssl_ciphers_list format is different, though it will accept the
default cipher list setting ("HIGH:!aNULL:!MD5").
For testing purposes I used:
"TLS-RSA-WITH-RC4-128-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256:TLS-RSA-WITH-AES-256-CBC-SHA256:TLS-RSA-WITH-AES-256-GCM-SHA384:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA".
* ssl_prefer_server_ciphers does not do anything.
* I intentionally did not implement support for PolarSSL's builtin
session cache because it's not very good (It's a linked list).
shared and none should work.
* SSLv2 is not supported by PolarSSL and will never be.
* ECDH is not supported by PolarSSL yet but it is on their roadmap.
* Stapling is not supported by PolarSSL. Not sure if it will be.

Known issues:
* When building with specifying the PolarSSL source directory with
--with-polarssl=[path], the make used needs to be GNU make due to
PolarSSL shipping with GNU make files.
* ngx_http_upstream_roundrobin will not do SSL session reuse, since I
intended for the patch to be minimally intrusive. It's possible to
re-add this functionality, with changes to the module.
* My auto integration does not have support for building on non-U*ix
systems, because I do not have a windows development environment
setup (PolarSSL supports the platform however).
* SNI does not work because I haven't gone and written it yet.
* Clients that send a SSLv2 Client Hello will fail to handshake
(PolarSSL issue. They used to support this backward compatibility
option, but support for it was pulled in v1.2.0, I posted on their
support forums asking about this).
* ngx_md5 and ngx_sha1 integration still not done yet, so on some
systems[0] this may try to link against OpenSSL and have the compile
or link fail. This is a build system issue and not a code issue.

I haven't tested the client functionality (proxy modules) or mail, but I
have no reason to expect that it shouldn't just work.

Most of the code is shamelessly cribbed from ngx_event_openssl.[h,c], so
I feel good about most of the code. The auto stuff wasn't all that
documented so I'm not sure if I did it right (and it still needs work).

Thoughts, comments, feedback appreciated.

Regards,

--
Yawning Angel

[0]: I did the development on FreeBSD which has system MD5 and SHA1.

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

RFC: PolarSSL support.

Yawning 1121 February 16, 2013 07:18AM

Re: RFC: PolarSSL support.

Yawning 1281 February 17, 2013 08:22AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 306
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready