<div dir="auto">But the way have you benchmarked this?</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, 5 Mar 2023, 11:55 am Nick Bogdanov, <<a href="mailto:nickrbogdanov@gmail.com">nickrbogdanov@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"># HG changeset patch<br>
# User Nick Bogdanov <<a href="mailto:nickrbogdanov@gmail.com" target="_blank" rel="noreferrer">nickrbogdanov@gmail.com</a>><br>
# Date 1677975659 28800<br>
# Sat Mar 04 16:20:59 2023 -0800<br>
# Node ID 8cb34ae16de2408cbe91832194baac6ae299f251<br>
# Parent cffaf3f2eec8fd33605c2a37814f5ffc30371989<br>
Add ssl_provider directive (ticket #2449)<br>
<br>
This change allows nginx to load modules that use the new OpenSSL<br>
Provider interface. My primary use case involves securing the<br>
webserver's private TLS key using a TPM2 chip, so it can't be stolen<br>
if the server is compromised. The way I tested this is as follows:<br>
<br>
1. Install basic TPM2 support. On Ubuntu 22.04 I used<br>
<br>
apt install tpm2-tools tpm2-abrmd libtss2-tcti-tabrmd0<br>
<br>
2. Install <a href="https://github.com/tpm2-software/tpm2-openssl" rel="noreferrer noreferrer" target="_blank">https://github.com/tpm2-software/tpm2-openssl</a> . Version<br>
1.2.0-rc0 or higher is required. At the time of this writing, it's<br>
likely you'll have to build from source.<br>
<br>
3. Generate a parent key on your TPM (one-time setup):<br>
<br>
tpm2_createprimary -C o -g sha256 -G ecc -c primary_sh.ctx<br>
<br>
tpm2_evictcontrol -C o -c 0x81000001 || true<br>
<br>
tpm2_evictcontrol -C o -c primary_sh.ctx 0x81000001<br>
<br>
4. Generate a TPM-backed RSA privkey and a corresponding self-signed<br>
x509 cert:<br>
<br>
openssl genpkey -provider tpm2 -algorithm RSA<br>
-pkeyopt parent:0x81000001 -out rsakey.pem<br>
<br>
openssl req -provider tpm2 -provider default -x509<br>
-subj "/C=GB/CN=foo" -key rsakey.pem -out rsacert.pem<br>
<br>
rsakey.pem will start with "-----BEGIN TSS2 PRIVATE KEY-----" to indicate<br>
that the key material is encrypted with a key that is only available inside<br>
the TPM chip.<br>
<br>
5. At the start of nginx.conf, tell nginx to use the tpm2 provider<br>
first, and then fall back to the default provider for unsupported<br>
operations:<br>
<br>
ssl_provider tpm2;<br>
ssl_provider default;<br>
<br>
6. Inside a "server {" section for an existing TLS server, point nginx<br>
to the new TPM-backed cert and key:<br>
<br>
ssl_certificate /tmp/rsacert.pem;<br>
ssl_certificate_key /tmp/rsakey.pem;<br>
<br>
If the ssl_provider option took effect, it will be able to recognize<br>
the new TSS2 rsakey.pem and instruct the TPM chip to handle the signing<br>
operation during the TLS handshake.<br>
<br>
diff -r cffaf3f2eec8 -r 8cb34ae16de2 contrib/vim/syntax/nginx.vim<br>
--- a/contrib/vim/syntax/nginx.vim Thu Feb 02 23:38:48 2023 +0300<br>
+++ b/contrib/vim/syntax/nginx.vim Sat Mar 04 16:20:59 2023 -0800<br>
@@ -620,6 +620,7 @@<br>
syn keyword ngxDirective contained ssl_prefer_server_ciphers<br>
syn keyword ngxDirective contained ssl_preread<br>
syn keyword ngxDirective contained ssl_protocols<br>
+syn keyword ngxDirective contained ssl_provider<br>
syn keyword ngxDirective contained ssl_reject_handshake<br>
syn keyword ngxDirective contained ssl_session_cache<br>
syn keyword ngxDirective contained ssl_session_ticket_key<br>
diff -r cffaf3f2eec8 -r 8cb34ae16de2 src/event/ngx_event_openssl.c<br>
--- a/src/event/ngx_event_openssl.c Thu Feb 02 23:38:48 2023 +0300<br>
+++ b/src/event/ngx_event_openssl.c Sat Mar 04 16:20:59 2023 -0800<br>
@@ -90,6 +90,7 @@<br>
<br>
static void *ngx_openssl_create_conf(ngx_cycle_t *cycle);<br>
static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);<br>
+static char *ngx_openssl_provider(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);<br>
static void ngx_openssl_exit(ngx_cycle_t *cycle);<br>
<br>
<br>
@@ -102,6 +103,13 @@<br>
0,<br>
NULL },<br>
<br>
+ { ngx_string("ssl_provider"),<br>
+ NGX_MAIN_CONF|NGX_DIRECT_CONF|NGX_CONF_TAKE1,<br>
+ ngx_openssl_provider,<br>
+ 0,<br>
+ 0,<br>
+ NULL },<br>
+<br>
ngx_null_command<br>
};<br>
<br>
@@ -5939,6 +5947,26 @@<br>
#endif<br>
}<br>
<br>
+static char *<br>
+ngx_openssl_provider(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)<br>
+{<br>
+#ifdef OPENSSL_PROVIDER_SUPPORT<br>
+ ngx_str_t *value = cf->args->elts;<br>
+<br>
+ if (OSSL_PROVIDER_load(NULL, (char *)value[1].data) == NULL) {<br>
+ ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,<br>
+ "OSSL_PROVIDER_load(\"%V\") failed", &value[1]);<br>
+ return NGX_CONF_ERROR;<br>
+ }<br>
+<br>
+ return NGX_CONF_OK;<br>
+<br>
+#else<br>
+<br>
+ return "is not supported";<br>
+<br>
+#endif<br>
+}<br>
<br>
static void<br>
ngx_openssl_exit(ngx_cycle_t *cycle)<br>
diff -r cffaf3f2eec8 -r 8cb34ae16de2 src/event/ngx_event_openssl.h<br>
--- a/src/event/ngx_event_openssl.h Thu Feb 02 23:38:48 2023 +0300<br>
+++ b/src/event/ngx_event_openssl.h Sat Mar 04 16:20:59 2023 -0800<br>
@@ -28,6 +28,10 @@<br>
#ifndef OPENSSL_NO_OCSP<br>
#include <openssl/ocsp.h><br>
#endif<br>
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)<br>
+#include <openssl/provider.h><br>
+#define OPENSSL_PROVIDER_SUPPORT<br>
+#endif<br>
#include <openssl/rand.h><br>
#include <openssl/x509.h><br>
#include <openssl/x509v3.h><br>
_______________________________________________<br>
nginx-devel mailing list<br>
<a href="mailto:nginx-devel@nginx.org" target="_blank" rel="noreferrer">nginx-devel@nginx.org</a><br>
<a href="https://mailman.nginx.org/mailman/listinfo/nginx-devel" rel="noreferrer noreferrer" target="_blank">https://mailman.nginx.org/mailman/listinfo/nginx-devel</a><br>
</blockquote></div>