Welcome! Log In Create A New Profile

Re: [PATCH] SSL: added support for TLS Session Tickets (RFC5077).

Forum List Message List New Topic Print View

Maxim Dounin

September 30, 2013 10:28AM

Hello!

On Sat, Sep 28, 2013 at 02:55:36AM -0700, Piotr Sikora wrote:

> # HG changeset patch
> # User Piotr Sikora <piotr@cloudflare.com>
> # Date 1380361691 25200
> # Sat Sep 28 02:48:11 2013 -0700
> # Node ID 6d3710969a18e2d0d817e297c2e17f941a58cd40
> # Parent a720f0b0e08345ebb01353250f4031bb6e141385
> SSL: added support for TLS Session Tickets (RFC5077).

As previously noted, the patch description is wrong. It also
make sense to add some description of the directive added.

See below for some code comments.

[...]

> +#ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
> +
> +typedef struct {
> + size_t name_len;
> + u_char name[16];
> +
> + u_char aes_key[16];
> + u_char hmac_key[16];
> +} ngx_ssl_session_ticket_key_t;
> +
> +
> +typedef struct {
> + ngx_ssl_session_ticket_key_t *default_key;
> + ngx_array_t keys;
> +} ngx_ssl_session_ticket_keys_t;
> +
> +#endif

This looks needlessly complicated, see below.

[...]

> @@ -153,6 +158,17 @@ static ngx_command_t ngx_http_ssl_comma
> 0,
> NULL },
>
> +#ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
> +
> + { ngx_string("ssl_session_ticket_key"),
> + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE23,
> + ngx_http_ssl_session_ticket_key,
> + NGX_HTTP_SRV_CONF_OFFSET,
> + 0,
> + NULL },
> +
> +#endif
> +

This makes the directive unavailable without any meaningfull
diagnostics if nginx was build with old OpenSSL, which isn't very
user-friendly.

[...]

> @@ -769,6 +810,146 @@ invalid:
> return NGX_CONF_ERROR;
> }
>
> +#ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB

Style, there should be 2 blank lines before #ifdef.

[...]

> + if (value[1].len > 16) {
> + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
> + "\"ssl_session_ticket_key\" name \"%V\" too long, "
> + "it cannot exceed 16 characters", &value[1]);
> + return NGX_CONF_ERROR;
> + }
> +
> + if (cf->args->nelts == 4) {
> +
> + if (ngx_strcmp(value[3].data, "default")) {

Style: as ngx_strcmp() doesn't return a boolean value, I would
recommend using "!= 0" test instead.

But actually I doubt we at all need an explicit mark for default
key. Just using first one for encryption would probably be good
enough.

I also think it would be better to don't rely on an explicitly
written name, which will make automatic key rotation a pain - as
one will have to update both name in a configuration file and a
file with keys. E.g. Apache uses a binary file with 48 bytes of
random data, which is much easier to generate and rotate if
needed.

[...]

> + if (ngx_conf_full_name(cf->cycle, &value[2], 1) != NGX_OK) {
> + return NGX_CONF_ERROR;
> + }
> +
> + ngx_memzero(&file, sizeof(ngx_file_t));
> + file.name = value[2];
> + file.log = cf->log;
> +
> + file.fd = ngx_open_file(file.name.data, NGX_FILE_RDONLY, 0, 0);
> + if (file.fd == NGX_INVALID_FILE) {
> + ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
> + ngx_open_file_n " \"%V\" failed", &file.name);
> +
> + return NGX_CONF_ERROR;
> + }

Not sure if this code should be here. Other file operations are
handled in the ngx_event_openssl.c, and doing the same for session
tickets might be a good idea as well. Especially if you'll
consider adding relevant directives to the mail module.

--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH] SSL: added support for TLS Session Tickets (RFC5077).	Piotr Sikora	1350	September 28, 2013 05:56AM
Re: [PATCH] SSL: added support for TLS Session Tickets (RFC5077).	Maxim Dounin	440	September 28, 2013 07:10AM
Re: [PATCH] SSL: added support for TLS Session Tickets (RFC5077).	Piotr Sikora	604	September 28, 2013 12:56PM
Re: [PATCH] SSL: added support for TLS Session Tickets (RFC5077).	Maxim Dounin	408	September 30, 2013 10:28AM
Re: [PATCH] SSL: added support for TLS Session Tickets (RFC5077).	Piotr Sikora	419	October 02, 2013 04:48AM
Re: [PATCH] SSL: added support for TLS Session Tickets (RFC5077).	kyprizel	402	October 02, 2013 11:20AM
Re: [PATCH] SSL: added support for TLS Session Tickets (RFC5077).	Maxim Dounin	424	October 03, 2013 11:18AM
Re: [PATCH] SSL: added support for TLS Session Tickets (RFC5077).	Piotr Sikora	587	October 10, 2013 07:24PM
Re: [PATCH] SSL: added support for TLS Session Tickets (RFC5077).	Piotr Sikora	408	October 10, 2013 07:34PM
Re: [PATCH] SSL: added support for TLS Session Tickets (RFC5077).	Maxim Dounin	459	October 11, 2013 10:28AM
Re: [PATCH] SSL: added support for TLS Session Tickets (RFC5077).	Piotr Sikora	384	October 11, 2013 07:24PM
Re: [PATCH] SSL: added support for TLS Session Tickets (RFC5077).	Maxim Dounin	519	October 14, 2013 09:32AM
Re: [PATCH] SSL: added support for TLS Session Tickets (RFC5077).	kyprizel	412	December 23, 2013 10:56AM
Re: [PATCH] SSL: added support for TLS Session Tickets (RFC5077).	Maxim Dounin	402	December 23, 2013 12:16PM
Re: [PATCH] SSL: added support for TLS Session Tickets (RFC5077).	kyprizel	347	December 23, 2013 03:06PM
Re: [PATCH] SSL: added support for TLS Session Tickets (RFC5077).	Valentin V. Bartenev	449	December 23, 2013 03:34PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 103

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018