Hi Thomas Thanks for your reply. What you outline is essentially what I want to do – I am statically compiling nginx against a specific openssl version and I want to be able to re-enable 3DES ciphersuites which are disabled in openssl 1.1.0+ (we have some audience demographics in e.g. Rural India and North Africa, a reasonable proportion of whom use very old mobile handsets).
So…what I would like to be able to do is to add something to my configure for nginx which would trigger the same behaviour as if I were adding “enable-<ciphersuite>” when configuring openssl. Hopefully that makes a bit more sense now :-). Cheers Neil Craig Lead Technical Architect BBC Design + Engineering | OTG Broadcast Centre, London W12 7TQ | BC4 A3 [cid:1470E654-D8D0-4A53-A0B0-628531702DD6] From: Thomas Ward <tew...@dark-net.net<mailto:tew...@dark-net.net>> Date: Thursday, 5 April 2018 at 16:56 To: "nginx-devel@nginx.org<mailto:nginx-devel@nginx.org>" <nginx-devel@nginx.org<mailto:nginx-devel@nginx.org>>, Neil Craig <neil.cr...@bbc.co.uk<mailto:neil.cr...@bbc.co.uk>> Subject: Re: Adding OpenSSL ciphersuites at compile time If I remember correctly, the available cipher suites to NGINX are based on what's compiled into the underlying SSL libraries that NGINX builds against. So if the underlying OpenSSL has access to ChaCha ciphers in its ciphers that're compiled into it, then NGINX can utilize those ChaCha ciphers. I don't believe there's explicit NGINX compile-time configuration options to enable ciphers at runtime, as this is dependent on the OpenSSL libraries statically built into your binaries, and therefore whatever OpenSSL cipher suites are enabled in it. You can then enable/disable the individual ciphers to be 'offered' by NGINX the `ssl_ciphers` configuration parameter [1] to use ciphers that might not be in the default cipherstring (which is "HIGH:!aNULL:!MD5" for reference), though, which is the 'standard' way to define what cipher suites should/shouldn't be used for SSL in the nginx instance when it's running and serving SSL connections. Consider, though, that any ciphers you put in the cipherstring will only be usable if the underlying SSL libraries (statically compiled in or not) support those ciphers that are defined in the cipher string. Thomas [1]: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers On 04/05/2018 11:35 AM, Neil Craig wrote: Hi I build a customised nginx binary for my project, this is statically compiled against openssl (via —with-openssl). Does anyone know if it’s possible to add a configure option to enable specific ciphersuites? The OpenSSL docs are here: https://wiki.openssl.org/index.php/Compilation_and_Installation And these say that you can set a configure option of “enable-<ciphersuite>” if compiling OpenSSL directly. Is there some way I can tell the nginx build to do that? Cheers Neil ---------------------------- http://www.bbc.co.uk This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. --------------------- _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org<mailto:nginx-devel@nginx.org>http://mailman.nginx.org/mailman/listinfo/nginx-devel
_______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel