Re: Nginx + boringSSL
On Tue, Jul 29, 2014 at 3:52 AM, sopato nginx-fo...@nginx.us wrote: Everything is ok , but when add ssl module , such as: ./configure --with-openssl=../boringssl --prefix=/srv1/nginx --with-http_ssl_module the make process is error , what can I do next ? Can you paste the error? Also note, I've only tried it on OpenBSD but I don't see anything that would break it on say Linux. Assuming boringssl compiled correctly. ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx + boringSSL
Alex Hunsaker wrote: On Tue, Jul 29, 2014 at 3:52 AM, sopato nginx-fo...@nginx.us wrote: Everything is ok , but when add ssl module , such as: ./configure --with-openssl=../boringssl --prefix=/srv1/nginx --with-http_ssl_module the make process is error , what can I do next ? Can you paste the error? Also note, I've only tried it on OpenBSD but I don't see anything that would break it on say Linux. Assuming boringssl compiled correctly. go here and check info for boringssl: and it works; ive got chacha20 going https://calomel.org/nginx.html ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx + boringSSL
Everything is ok , but when add ssl module , such as: ./configure --with-openssl=../boringssl --prefix=/srv1/nginx --with-http_ssl_module the make process is error , what can I do next ? Thanks . Posted at Nginx Forum: http://forum.nginx.org/read.php?2,251740,252100#msg-252100 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx + boringSSL
On Sun, Jul 13, 2014 at 7:58 PM, Alex Hunsaker bada...@gmail.com wrote: I've started playing around with boringssl with nginx. ... Anyway, I'm please to report everything seems to work! Please find attached v2. Changes: - use openssl/opensslfeatures.h for feature detection, its designed to more or less be comptaible with libressl, so I suspect this patch might work with libressl as well - fix depecreated use of RSA_generate_key(), the old patch just ripped out calling this function - report an error if you try to set ssl_engine if OPENSSL_NO_ENGINE or OPENSSL_NO_DYNAMIC_ENGINE, instead of just silently ignoring the directive. - include openssl/rand.h if OPENSSL_VERSION = 1.0.2 diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c index d8dd3d3..23a4af9 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -96,7 +96,14 @@ int ngx_ssl_stapling_index; ngx_int_t ngx_ssl_init(ngx_log_t *log) { + +/* + * For now assume if openssl does not have engine support it wont have + * OPENSSL_config() either + */ +#ifndef OPENSSL_NO_ENGINE OPENSSL_config(NULL); +#endif SSL_library_init(); SSL_load_error_strings(); @@ -207,7 +214,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) SSL_CTX_set_options(ssl-ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING); #endif +#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG SSL_CTX_set_options(ssl-ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG); +#endif + SSL_CTX_set_options(ssl-ctx, SSL_OP_TLS_D5_BUG); SSL_CTX_set_options(ssl-ctx, SSL_OP_TLS_BLOCK_PADDING_BUG); @@ -585,7 +595,13 @@ ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export, if (key_length == 512) { if (key == NULL) { -key = RSA_generate_key(512, RSA_F4, NULL, NULL); +BIGNUM *e = BN_new(); +key = RSA_new(); + +BN_set_word(e, RSA_F4); +RSA_generate_key_ex(key, 512, e, NULL); + +BN_free(e); } } @@ -2806,6 +2822,13 @@ ngx_openssl_create_conf(ngx_cycle_t *cycle) } +#if defined(OPENSSL_NO_ENGINE) || defined(OPENSSL_NO_DYANMIC_ENGINE) +static char * +ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) +{ +return not supported by your openssl; +} +#else static char * ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { @@ -2844,11 +2867,15 @@ ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) return NGX_CONF_OK; } +#endif static void ngx_openssl_exit(ngx_cycle_t *cycle) { EVP_cleanup(); + +#ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); +#endif } diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h index b7f8500..f655b69 100644 --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -17,9 +17,20 @@ #include openssl/conf.h #include openssl/engine.h #include openssl/evp.h + +#ifndef OPENSSL_NO_OCSP #include openssl/ocsp.h +#endif +#if OPENSSL_VERSION_NUMBER = 0x10002000 +#include openssl/rand.h +#endif + +#ifdef OPENSSL_IS_BORINGSSL +#define NGX_SSL_NAME BoringSSL +#else #define NGX_SSL_NAME OpenSSL +#endif #define ngx_ssl_session_t SSL_SESSION diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c index 3a3cc7f..98b4cd4 100644 --- a/src/event/ngx_event_openssl_stapling.c +++ b/src/event/ngx_event_openssl_stapling.c @@ -11,7 +11,7 @@ #include ngx_event_connect.h -#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB +#if defined(SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB) !defined(OPENSSL_NO_OCSP) typedef struct { ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx + boringSSL
Looks interesting :) Alex Hunsaker bada...@gmail.com于2014年7月14日星期一写道: I've started playing around with boringssl with nginx. Mostly everything works except OCSP. Seems like either openssl 1.0.2 which boringssl was forked from does not have it, or the boringssl folk ripped it out. I have not investigated. Anyway, I'm please to report everything seems to work! -- # first boringssl git clone https://boringssl.googlesource.com/boringssl cd boringssl # for when building on openbsd, also enables -O2, boringssl is a debug build by default cat boringssl_openbsd.patch | patch -p1 -N -s mkdir build cd build cmake ../ cd .. # setup stuff for nginx mkdir -p .openssl/lib ln -s include .openssl/ cp build/crypto/libcrypto.a build/ssl/libssl.a .openssl/lib # now for nginx tar xvzf nginx-1.6.0.tar.gz cd nginx-1.6.0 cat ../boringssl_nginx.patch | patch -p1 -N -s ./configure --with-openssl=../boringssl ... # update timestamp so nginx won't try to build openssl touch ../boringssl/.openssl/include/ssl.h make -- Best Regards, Harold Miao ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx + boringSSL
Thanks for sharing :) So SPDY/3.1 SSL works ? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,251740,251748#msg-251748 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx + boringSSL
On Mon, Jul 14, 2014 at 4:47 AM, George nginx-fo...@nginx.us wrote: Thanks for sharing :) So SPDY/3.1 SSL works ? Yep, and so do CHACHA20_POLY130 :D ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Nginx + boringSSL
I've started playing around with boringssl with nginx. Mostly everything works except OCSP. Seems like either openssl 1.0.2 which boringssl was forked from does not have it, or the boringssl folk ripped it out. I have not investigated. Anyway, I'm please to report everything seems to work! -- # first boringssl git clone https://boringssl.googlesource.com/boringssl cd boringssl # for when building on openbsd, also enables -O2, boringssl is a debug build by default cat boringssl_openbsd.patch | patch -p1 -N -s mkdir build cd build cmake ../ cd .. # setup stuff for nginx mkdir -p .openssl/lib ln -s include .openssl/ cp build/crypto/libcrypto.a build/ssl/libssl.a .openssl/lib # now for nginx tar xvzf nginx-1.6.0.tar.gz cd nginx-1.6.0 cat ../boringssl_nginx.patch | patch -p1 -N -s ./configure --with-openssl=../boringssl ... # update timestamp so nginx won't try to build openssl touch ../boringssl/.openssl/include/ssl.h make boringssl_nginx.patch Description: Binary data boringssl_openbsd.patch Description: Binary data ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx