Welcome! Log In Create A New Profile

Advanced

[nginx] SSL: $ssl_curve (ticket #2135).

Sergey Kandaurov
November 23, 2021 06:22AM
details: https://hg.nginx.org/nginx/rev/3443c02ca1d1
branches:
changeset: 7973:3443c02ca1d1
user: Sergey Kandaurov <pluknet@nginx.com>
date: Mon Nov 01 18:09:34 2021 +0300
description:
SSL: $ssl_curve (ticket #2135).

The variable contains a negotiated curve used for the handshake key
exchange process. Known curves are listed by their names, unknown
ones are shown in hex.

Note that for resumed sessions in TLSv1.2 and older protocols,
$ssl_curve contains the curve used during the initial handshake,
while in TLSv1.3 it contains the curve used during the session
resumption (see the SSL_get_negotiated_group manual page for
details).

The variable is only meaningful when using OpenSSL 3.0 and above.
With older versions the variable is empty.

diffstat:

src/event/ngx_event_openssl.c | 36 ++++++++++++++++++++++++++++++++++
src/event/ngx_event_openssl.h | 2 +
src/http/modules/ngx_http_ssl_module.c | 3 ++
src/stream/ngx_stream_ssl_module.c | 3 ++
4 files changed, 44 insertions(+), 0 deletions(-)

diffs (84 lines):

diff -r 284f03d6f154 -r 3443c02ca1d1 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Tue Nov 23 12:52:43 2021 +0300
+++ b/src/event/ngx_event_openssl.c Mon Nov 01 18:09:34 2021 +0300
@@ -4734,6 +4734,42 @@ ngx_ssl_get_ciphers(ngx_connection_t *c,


ngx_int_t
+ngx_ssl_get_curve(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+#ifdef SSL_get_negotiated_group
+
+ int nid;
+
+ nid = SSL_get_negotiated_group(c->ssl->connection);
+
+ if (nid != NID_undef) {
+
+ if ((nid & TLSEXT_nid_unknown) == 0) {
+ s->len = ngx_strlen(OBJ_nid2sn(nid));
+ s->data = (u_char *) OBJ_nid2sn(nid);
+ return NGX_OK;
+ }
+
+ s->len = sizeof("0x0000") - 1;
+
+ s->data = ngx_pnalloc(pool, s->len);
+ if (s->data == NULL) {
+ return NGX_ERROR;
+ }
+
+ ngx_sprintf(s->data, "0x%04xd", nid & 0xffff);
+
+ return NGX_OK;
+ }
+
+#endif
+
+ s->len = 0;
+ return NGX_OK;
+}
+
+
+ngx_int_t
ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
{
#ifdef SSL_CTRL_GET_CURVES
diff -r 284f03d6f154 -r 3443c02ca1d1 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Tue Nov 23 12:52:43 2021 +0300
+++ b/src/event/ngx_event_openssl.h Mon Nov 01 18:09:34 2021 +0300
@@ -256,6 +256,8 @@ ngx_int_t ngx_ssl_get_cipher_name(ngx_co
ngx_str_t *s);
ngx_int_t ngx_ssl_get_ciphers(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
+ngx_int_t ngx_ssl_get_curve(ngx_connection_t *c, ngx_pool_t *pool,
+ ngx_str_t *s);
ngx_int_t ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool,
diff -r 284f03d6f154 -r 3443c02ca1d1 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Tue Nov 23 12:52:43 2021 +0300
+++ b/src/http/modules/ngx_http_ssl_module.c Mon Nov 01 18:09:34 2021 +0300
@@ -342,6 +342,9 @@ static ngx_http_variable_t ngx_http_ssl
{ ngx_string("ssl_ciphers"), NULL, ngx_http_ssl_variable,
(uintptr_t) ngx_ssl_get_ciphers, NGX_HTTP_VAR_CHANGEABLE, 0 },

+ { ngx_string("ssl_curve"), NULL, ngx_http_ssl_variable,
+ (uintptr_t) ngx_ssl_get_curve, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
{ ngx_string("ssl_curves"), NULL, ngx_http_ssl_variable,
(uintptr_t) ngx_ssl_get_curves, NGX_HTTP_VAR_CHANGEABLE, 0 },

diff -r 284f03d6f154 -r 3443c02ca1d1 src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c Tue Nov 23 12:52:43 2021 +0300
+++ b/src/stream/ngx_stream_ssl_module.c Mon Nov 01 18:09:34 2021 +0300
@@ -269,6 +269,9 @@ static ngx_stream_variable_t ngx_stream
{ ngx_string("ssl_ciphers"), NULL, ngx_stream_ssl_variable,
(uintptr_t) ngx_ssl_get_ciphers, NGX_STREAM_VAR_CHANGEABLE, 0 },

+ { ngx_string("ssl_curve"), NULL, ngx_stream_ssl_variable,
+ (uintptr_t) ngx_ssl_get_curve, NGX_STREAM_VAR_CHANGEABLE, 0 },
+
{ ngx_string("ssl_curves"), NULL, ngx_stream_ssl_variable,
(uintptr_t) ngx_ssl_get_curves, NGX_STREAM_VAR_CHANGEABLE, 0 },

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[nginx] SSL: $ssl_curve (ticket #2135).

Sergey Kandaurov 55 November 23, 2021 06:22AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 64
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready