New variable $ssl_raw_handshake

Benny Baumann BenBE at geshi.org
Fri May 5 07:54:03 UTC 2017


Hi,

in course of building up a dataset of mappings of User-Agents and their
common SSL ClientHello messages[1] I started to implement a small patch
to nginx 1.13.0 mainline to implement a small transcript of the
handshake process similar to the one enabled in openssl s_client -msg.

The format of this new variable is a series of semicolon-delimited
blocks starting with a direction (C: -> sent by client, S: -> sent by
server) and followed by colon-delimited hexdumps of processed blocks of
data. The string C:00:01;S:0203:0405:0607;C:08090A; denotes 2 blocks of
1 byte each sent by the client, followed by 3 blocks 2 byte each from
the server and finally 1 block of 3 bytes from the client. Blocks
usually conform to how OpenSSL tries to process the data.

I'd appreciate a short review of the patch with comments for possible
improvements, code style and other related things. One yet open aspect
is configurable behaviour to only enable collection on-demand. Also
ideas for migrating this code into a separate module are welcome.

NB: Due to size of transcribed information it is commonly not feasible
to pass this variable to other backend servers via HTTP headers. Trying
to do so will most likely result in the backend responding 400 Bad
Request, sometimes also remarking about the overlong header. I'm still
looking at ways how this can be done in a sane way (abusing memcached
for transporting could be an option) - but this is outside the scope of
this patch. Plainly logging the information of this header to some
custom log will do just fine.

Kind regards,
BenBE.

[1] Original paper on this approach at [2]
[2] https://jhalderm.com/pub/papers/interception-ndss17.pdf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-add-Transcript-of-SSL-Handshake-similar-to-openssl-s.patch
Type: text/x-patch
Size: 5669 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20170505/b9a03f37/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20170505/b9a03f37/attachment-0001.bin>


More information about the nginx-devel mailing list