Welcome! Log In Create A New Profile

Advanced

Re: [PATCH 1 of 3] PSK: connection support

Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
June 30, 2017 08:00AM
Hello!

On Thu, Jun 29, 2017 at 10:00:45PM +0000, Karstens, Nate wrote:

> Thanks for the comments. I'll try to start on those in a couple
> of days.

Just to make it clear: there is no need to hurry. Likely I won't
be able to review new patches in at least a couple of weeks, so
feel free to spend more time polishing the patches.

> My company uses Outlook/Exchange for email, so I don't
> think I'll be able to use hg email, do you have any other
> suggestions? Thanks also for your patience, I've used Git quite
> a bit but am new to Mercurial.

The "hg email" command can work with any SMTP server, including
Exchange. Or you can ensure proper threading manually by using a
"reply" function.

> Utkarsh sounds like he is trying to use PSK for TLS v1.3 session
> resumption. Given that each TLS connection could potentially
> result in a new PSK I think only reading them at startup could
> result in too many refreshes. I think there might be some
> benefit to the original approach in regards to storing each PSK
> in its own file in a designated directory. Benefits include:

TLS v1.3 session resumption uses PSK internally, but it is very
different from internal usage point of view. It is handled well
enough with existing session cache / session tickets mechanisms.

[...]

> > +ngx_int_t
> > +ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
> > +
> > +{
>
> Style: extra empty line.
>
> > + ngx_int_t rc;
> > +
> > + if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_psk_index, file) == 0) {
> > + ngx_ssl_error(NGX_LOG_ALERT, ssl->log, 0,
> > + "SSL_CTX_set_ex_data() failed");
> > + return NGX_ERROR;
> > + }
> > +
> > + rc = ngx_ssl_psk_read(file, NULL, NULL, 0);
> > +
> > + return rc == 0 ? NGX_OK : NGX_ERROR;
> > +}

[...]

> > @@ -800,6 +810,12 @@
> >
> > }
> >
> > + if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file)
> > + != NGX_OK)
> > + {
> > + return NGX_CONF_ERROR;
> > + }

Note: this calls ngx_ssl_psk_file() unconditionally, and
ngx_ssl_psk_file() also doesn't check if a file is configured. As
a result, a configuration without ssl_psk_file fails.

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

[PATCH 1 of 3] PSK: connection support

Karstens, Nate 608 June 22, 2017 09:26AM

Re: [PATCH 1 of 3] PSK: connection support

Maxim Dounin 205 June 29, 2017 05:10PM

RE: [PATCH 1 of 3] PSK: connection support

Karstens, Nate 253 June 29, 2017 06:02PM

Re: [PATCH 1 of 3] PSK: connection support

Maxim Dounin 186 June 30, 2017 08:00AM

RE: [PATCH 1 of 3] PSK: connection support

Karstens, Nate 307 July 25, 2017 03:02PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 165
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready