Adding OpenSSL ciphersuites at compile time

Thu Apr 5 18:39:45 UTC 2018

Hi Thomas

Thanks for your reply. What you outline is essentially what I want to do – I am statically compiling nginx against a specific openssl version and I want to be able to re-enable 3DES ciphersuites which are disabled in openssl 1.1.0+ (we have some audience demographics in e.g. Rural India and North Africa, a reasonable proportion of whom use very old mobile handsets).

So…what I would like to be able to do is to add something to my configure for nginx which would trigger the same behaviour as if I were adding “enable-<ciphersuite>” when configuring openssl.

Hopefully that makes a bit more sense now :-).

Cheers

Neil Craig
Lead Technical Architect
BBC Design + Engineering | OTG
Broadcast Centre, London W12 7TQ | BC4 A3
[cid:1470E654-D8D0-4A53-A0B0-628531702DD6]

From: Thomas Ward <teward at dark-net.net<mailto:teward at dark-net.net>>
Date: Thursday, 5 April 2018 at 16:56
To: "nginx-devel at nginx.org<mailto:nginx-devel at nginx.org>" <nginx-devel at nginx.org<mailto:nginx-devel at nginx.org>>, Neil Craig <Neil.Craig at bbc.co.uk<mailto:Neil.Craig at bbc.co.uk>>
Subject: Re: Adding OpenSSL ciphersuites at compile time

If I remember correctly, the available cipher suites to NGINX are based on what's compiled into the underlying SSL libraries that NGINX builds against.  So if the underlying OpenSSL has access to ChaCha ciphers in its ciphers that're compiled into it, then NGINX can utilize those ChaCha ciphers.

I don't believe there's explicit NGINX compile-time configuration options to enable ciphers at runtime, as this is dependent on the OpenSSL libraries statically built into your binaries, and therefore whatever OpenSSL cipher suites are enabled in it.  You can then enable/disable the individual ciphers to be 'offered' by NGINX the `ssl_ciphers` configuration parameter [1] to use ciphers that might not be in the default cipherstring (which is "HIGH:!aNULL:!MD5" for reference), though, which is the 'standard' way to define what cipher suites should/shouldn't be used for SSL in the nginx instance when it's running and serving SSL connections.

Consider, though, that any ciphers you put in the cipherstring will only be usable if the underlying SSL libraries (statically compiled in or not) support those ciphers that are defined in the cipher string.

Thomas

[1]: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers

On 04/05/2018 11:35 AM, Neil Craig wrote:
Hi

I build a customised nginx binary for my project, this is statically compiled against openssl (via —with-openssl). Does anyone know if it’s possible to add a configure option to enable specific ciphersuites? The OpenSSL docs are here:

https://wiki.openssl.org/index.php/Compilation_and_Installation

And these say that you can set a configure option of “enable-<ciphersuite>” if compiling OpenSSL directly. Is there some way I can tell the nginx build to do that?

Cheers
Neil

----------------------------

http://www.bbc.co.uk
This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.

---------------------

_______________________________________________
nginx-devel mailing list
nginx-devel at nginx.org<mailto:nginx-devel at nginx.org>http://mailman.nginx.org/mailman/listinfo/nginx-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20180405/0e27e58b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: BBC-DAndE[2][6].png
Type: image/png
Size: 1914 bytes
Desc: BBC-DAndE[2][6].png
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20180405/0e27e58b/attachment.png>