Hello, Oops. So it must work without OpenSSL. This requirement makes all things more complicated and inflexible. All hashing algorithms of practical importance (sha1, sha256) should be implemented in the module. It is a lot of work :) Well, maybe someone finds the patch useful. 2012/4/28 Maxim Dounin <mdounin@mdounin.ru>: > Hello! > > On Sat, Apr 28, 2012 at 11:48:02AM +0300, Adby timo2 - Nginx Development
Hello, Attached is the proposed patch to http_secure_link module. With the patch, the security and functionality of the module is extended. First of all, the secure token is created using much more secure HMAC construction with an arbitrary hash algorithm supported by OpenSSL, e.g., md5, sha1, sha256, sha512. Secure token is created in the standard way as in RFC2104, that is, H(secret_key XOR opaby timo2 - Nginx Development
This is a good news. Thanks, Igor! _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-develby timo2 - Nginx Development
Hello, I bump the topic which I have already discussed here ;) Briefly, the patch enables the use of eliptic curve ciphers (ECC) with nginx. The ECDH support was introduced in OpenSSL starting from version 0.9.8. Default EC curve is prime256v1. Patch against nginx-1.0.5 is attached. I know that nginx should compile also with 0.9.7 but maybe the patch could still be included in the mainstream verby timo2 - Nginx Development
Hi again, To be on the safe side, its better to do SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh); SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE); EC_KEY_free(ecdh); Updated patch is attached. _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://nginx.org/mailman/listinfo/nginx-develby timo2 - Nginx Development
Hello, Updated patch diff -rupN nginx-0.9.3/src/event/ngx_event_openssl.c nginx-0.9.3p/src/event/ngx_event_openssl.c --- nginx-0.9.3/src/event/ngx_event_openssl.c 2011-01-05 20:38:18.000000000 +0200 +++ nginx-0.9.3p/src/event/ngx_event_openssl.c 2011-01-05 20:33:55.000000000 +0200 @@ -478,6 +478,42 @@ ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_ return NGX_OK; } +ngx_int_t +ngx_sby timo2 - Nginx Mailing List - English
Hello, Thanks Maxim for encouragment. Indeed, the patch was really terrible. I did some code clean-up. Hope, it should be fine right now. The ECDH was introduced in OpenSSL starting from version 0.9.8. There is a preprocessor check now. Default EC curve is prime256v1. Just to be sure, I paste the patch also here: diff -rupN nginx-0.9.3/src/event/ngx_event_openssl.c nginx-0.9.3p/src/event/ngx_evby timo2 - Nginx Development
Hi, I was able to add support for elliptic curve cryptography. Nginx has to be compiled with Openssl 1.0.0 libraries, though. The patch against nginx-0.8.54 is here (sorry I do not know how to add attachment). Basicly, it ads extra configuration parameter ssl_eccurve with which one can specify the elliptic curve. If this parameter is missing then the default secp224r1 curve is used. diffby timo2 - Nginx Mailing List - English
Well, it seems that openssl can handle it by itself if the recommended exponent length is in the pem file. Nginx uses openssl routines to decode PEM file in ngx_ssl_dhparam routine. So the recommended exponent length should be taken into account. Can anyone more experienced confirm that? However, the default values (hardcoded in nginx source) are 1024 bit long safe prime p and generator g=2. NIby timo2 - Nginx Mailing List - English
Hi, Nginx offers a possibility to import DH parameters (prime p and generator g) from external file. The parameters (p and g) have to be generated with "openssl dpharam." In the default setting, openssl calculates strong primes and uses either 2 or 5 as generator. The private exponent in modular exponentiation is then very long, its bit representation is comparable in length to the prby timo2 - Nginx Mailing List - English