Welcome! Log In Create A New Profile

Advanced

[PATCH] Proxy: add "proxy_ssl_padding" directive

Piotr Sikora
July 25, 2014 07:50AM
# HG changeset patch
# User Piotr Sikora <piotr@cloudflare.com>
# Date 1406288796 25200
# Fri Jul 25 04:46:36 2014 -0700
# Node ID fa9bca0cb2876eb57048644aa4af15d1e6c85d26
# Parent c3b08217f2a24f4531e578082dff498d85818cf0
Proxy: add "proxy_ssl_padding" directive.

This change adds support for the TLS padding extension (the workaround
for the "TLS hang bug"), which might be necessary in order to establish
SSL connection with upstream servers with and/or behind broken SSL stack.

Previously, it was possible to connect to such servers only by reducing
size of the ClientHello message to below 256 bytes (by reducing number
of advertised cipher suites, removing support for newer SSL protocols
and/or removing the Server Name Indication extension).

Requires OpenSSL-1.0.1h+.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>

diff -r c3b08217f2a2 -r fa9bca0cb287 src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c Thu Jul 24 16:25:07 2014 +0400
+++ b/src/http/modules/ngx_http_proxy_module.c Fri Jul 25 04:46:36 2014 -0700
@@ -84,6 +84,7 @@ typedef struct {
ngx_uint_t ssl_verify_depth;
ngx_str_t ssl_trusted_certificate;
ngx_str_t ssl_crl;
+ ngx_flag_t ssl_padding;
#endif
} ngx_http_proxy_loc_conf_t;

@@ -164,6 +165,10 @@ static char *ngx_http_proxy_cache_key(ng
#endif

static char *ngx_http_proxy_lowat_check(ngx_conf_t *cf, void *post, void *data);
+#if (NGX_HTTP_SSL)
+static char *ngx_http_proxy_ssl_padding_check(ngx_conf_t *cf, void *post,
+ void *data);
+#endif

static ngx_int_t ngx_http_proxy_rewrite_regex(ngx_conf_t *cf,
ngx_http_proxy_rewrite_t *pr, ngx_str_t *regex, ngx_uint_t caseless);
@@ -177,6 +182,10 @@ static void ngx_http_proxy_set_vars(ngx_

static ngx_conf_post_t ngx_http_proxy_lowat_post =
{ ngx_http_proxy_lowat_check };
+#if (NGX_HTTP_SSL)
+static ngx_conf_post_t ngx_http_proxy_ssl_padding_post =
+ { ngx_http_proxy_ssl_padding_check };
+#endif


static ngx_conf_bitmask_t ngx_http_proxy_next_upstream_masks[] = {
@@ -598,6 +607,13 @@ static ngx_command_t ngx_http_proxy_com
offsetof(ngx_http_proxy_loc_conf_t, ssl_crl),
NULL },

+ { ngx_string("proxy_ssl_padding"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_proxy_loc_conf_t, ssl_padding),
+ &ngx_http_proxy_ssl_padding_post },
+
#endif

ngx_null_command
@@ -2495,6 +2511,7 @@ ngx_http_proxy_create_loc_conf(ngx_conf_
conf->upstream.ssl_server_name = NGX_CONF_UNSET;
conf->upstream.ssl_verify = NGX_CONF_UNSET;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
+ conf->ssl_padding = NGX_CONF_UNSET;
#endif

/* "proxy_cyclic_temp_file" is disabled */
@@ -2791,6 +2808,7 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t
ngx_conf_merge_str_value(conf->ssl_trusted_certificate,
prev->ssl_trusted_certificate, "");
ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, "");
+ ngx_conf_merge_value(conf->ssl_padding, prev->ssl_padding, 0);

if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
@@ -3824,6 +3842,18 @@ ngx_http_proxy_lowat_check(ngx_conf_t *c

#if (NGX_HTTP_SSL)

+static char *
+ngx_http_proxy_ssl_padding_check(ngx_conf_t *cf, void *post, void *data)
+{
+#ifndef SSL_OP_TLSEXT_PADDING
+ ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
+ "\"proxy_ssl_padding\" is not supported, ignored");
+#endif
+
+ return NGX_CONF_OK;
+}
+
+
static ngx_int_t
ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
{
@@ -3880,6 +3910,12 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
}
}

+#ifdef SSL_OP_TLSEXT_PADDING
+ if (plcf->ssl_padding) {
+ SSL_CTX_set_options(plcf->upstream.ssl->ctx, SSL_OP_TLSEXT_PADDING);
+ }
+#endif
+
return NGX_OK;
}


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] Proxy: add "proxy_ssl_padding" directive

Piotr Sikora 635 July 25, 2014 07:50AM

Re: [PATCH] Proxy: add "proxy_ssl_padding" directive

Maxim Dounin 295 July 25, 2014 11:58AM

Re: [PATCH] Proxy: add "proxy_ssl_padding" directive

Piotr Sikora 286 July 25, 2014 03:08PM

Re: [PATCH] Proxy: add "proxy_ssl_padding" directive

Maxim Dounin 292 July 25, 2014 03:22PM

Re: [PATCH] Proxy: add "proxy_ssl_padding" directive

Piotr Sikora 328 July 25, 2014 04:46PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 304
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready