RFC: PolarSSL support.
yawning at schwanenlied.me
Sun Feb 17 13:21:33 UTC 2013
The diff containing my first pass implementation is available at:
* ssl_ciphers_list format is different, though it will accept the
default cipher list setting ("HIGH:!aNULL:!MD5").
For testing purposes I used:
* ssl_prefer_server_ciphers does not do anything.
* I intentionally did not implement support for PolarSSL's builtin
session cache because it's not very good (It's a linked list).
shared and none should work.
* SSLv2 is not supported by PolarSSL and will never be.
* ECDH is not supported by PolarSSL yet but it is on their roadmap.
* Stapling is not supported by PolarSSL. Not sure if it will be.
* When building with specifying the PolarSSL source directory with
--with-polarssl=[path], the make used needs to be GNU make due to
PolarSSL shipping with GNU make files.
* ngx_http_upstream_roundrobin will not do SSL session reuse, since I
intended for the patch to be minimally intrusive. It's possible to
re-add this functionality, with changes to the module.
* My auto integration does not have support for building on non-U*ix
systems, because I do not have a windows development environment
setup (PolarSSL supports the platform however).
* SNI does not work because I haven't gone and written it yet.
* Clients that send a SSLv2 Client Hello will fail to handshake
(PolarSSL issue. They used to support this backward compatibility
option, but support for it was pulled in v1.2.0, I posted on their
support forums asking about this).
* ngx_md5 and ngx_sha1 integration still not done yet, so on some
systems this may try to link against OpenSSL and have the compile
or link fail. This is a build system issue and not a code issue.
I haven't tested the client functionality (proxy modules) or mail, but I
have no reason to expect that it shouldn't just work.
Most of the code is shamelessly cribbed from ngx_event_openssl.[h,c], so
I feel good about most of the code. The auto stuff wasn't all that
documented so I'm not sure if I did it right (and it still needs work).
Thoughts, comments, feedback appreciated.
: I did the development on FreeBSD which has system MD5 and SHA1.
More information about the nginx-devel