RFC: PolarSSL support.
yawning at schwanenlied.me
Sat Feb 16 12:16:32 UTC 2013
In my (regrettably) copious spare time I have been working on adding
support for PolarSSL as an alternative to OpenSSL. I'm getting close
to the point where I am comfortable with the code and would like to see
if there is interest from the community and developers for this option.
What I have so far:
* src/event/ngx_event_polarssl.[h,c] (and some kludges to the build
system so I can test my code).
* Works in so much that a webserver compiled with my code can serve
https (still needs more testing and code review).
What needs to be done before it's usable:
* Need to implement ngx_ssl_trusted_certificate, just haven't gotten
around to it yet.
* Need to write implementations for ngx_ssl_get_session (and
ngx_ssl_free_session) so that ngx_http_upstream_round_robin works
again. This should be relatively easy but I need to figure out how
the module in question expects these to behave (The OpenSSL versions
are #defines to OpenSSL routines and PolarSSL's internal behavior is
reasonably different here).
* Logging related cleanup.
* PolarSSL supports SNI, but in the interest of keeping my changes
self contained (Currently no functional changes to the nginx code
apart from the addition of my module). I haven't implemented that
yet because it requires modifying the http SSL module.
* Need to figure out the nginx build system properly and integrate
building with PolarSSL properly.
* Need to see if the mail protocol support works.
What I'd like to do after the first revision:
* A few of the modules call OpenSSL routines (Eg:
SSL_CTX_set_cipher_list, X509_verify_cert_error_string). Currently
I provide wrappers for those routines in ngx_event_polarssl.c but
they should be abstracted to ngx_ functions (Eg:
* I haven't gotten around to making ngx_md5 and ngx_sha1 use PolarSSL
yet. Would be trivial once my module is properly integrated into
the build system.
This post is mostly just trying to see if people would find this a
useful addition before I start on ticking items off the list.
More information about the nginx-devel