nginx and ephemeral Diffie-Hellman keys

Igor Sysoev is at rambler-co.ru
Fri Jun 13 14:51:09 MSD 2008


On Fri, Jun 13, 2008 at 04:54:45AM +0200, Jauder Ho wrote:

> I've been fighting with this all do so hopefully someone can help shed
> some light.
> 
> I have a site configured to use SSL and it current does successfully
> negotiate SSL. However, I am not able for the life of me to get nginx to
> offer up DH keys/ciphers.
> 
> What I am able to get negotiated is AES256-SHA. What I would like to be
> able to see is DHE-RSA-AES256-SHA
> 
> The following is that I have set currently.
> 
>     ssl_prefer_server_ciphers on;
>     ssl_protocols SSLv3 TLSv1;
> 
>     # Set the ciphers to use. See
> http://infinitesecond.blogspot.com/2008/03/recommended-sslciphersuite.html
>     ssl_ciphers
> DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
> 
> Using http://www.serversniff.net/sslcheck.php and vurbu.com:443, it
> looks like only RSA key exchanges are successful.
> 
> I have concatenated the DH params to the certificate with no effect.
> dhparams was created with the following command
> 
>   openssl dhparam -dsaparam -out dh1024dsa.pem -5 1024
> 
> Also looking at the nginx error log files, I see a lot of
> 
>   SSL23_GET_CLIENT_HELLO:unknown protocol
>   SSL3_GET_CLIENT_HELLO:no shared cipher
> 
> yet the odd thing is I am able to successfully access https://vurbu.com/
> 
> nginx was compiled using the following flags.
> 
>   ~/src/nginx-0.7.1$ ./configure --with-http_ssl_module
> --add-module=../nginx-upstream-fair/ --with-http_gzip_static_module
> 
> Any suggestions would be welcome.

nginx does not support DH keys.
The attached patch adds ssl_dhparam directive:

      ssl_dhparam   /path/to/PEM_DHparam;


-- 
Igor Sysoev
http://sysoev.ru/en/
-------------- next part --------------
Index: src/http/modules/ngx_http_ssl_module.c
===================================================================
--- src/http/modules/ngx_http_ssl_module.c	(revision 1362)
+++ src/http/modules/ngx_http_ssl_module.c	(working copy)
@@ -72,6 +72,13 @@
       offsetof(ngx_http_ssl_srv_conf_t, certificate_key),
       NULL },
 
+    { ngx_string("ssl_dhparam"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_ssl_srv_conf_t, dhparam),
+      NULL },
+
     { ngx_string("ssl_protocols"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,
       ngx_conf_set_bitmask_slot,
@@ -287,12 +294,10 @@
      * set by ngx_pcalloc():
      *
      *     sscf->protocols = 0;
-     *     sscf->certificate.len = 0;
-     *     sscf->certificate.data = NULL;
-     *     sscf->certificate_key.len = 0;
-     *     sscf->certificate_key.data = NULL;
-     *     sscf->client_certificate.len = 0;
-     *     sscf->client_certificate.data = NULL;
+     *     sscf->certificate = { 0, NULL };
+     *     sscf->certificate_key = { 0, NULL };
+     *     sscf->dhparam = { 0, NULL };
+     *     sscf->client_certificate = { 0, NULL };
      *     sscf->ciphers.len = 0;
      *     sscf->ciphers.data = NULL;
      *     sscf->shm_zone = NULL;
@@ -342,6 +347,8 @@
     ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
                          NGX_DEFLAUT_CERTIFICATE_KEY);
 
+    ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
+
     ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
                          "");
 
@@ -409,6 +416,10 @@
 
 #endif
 
+    if (ngx_ssl_dh1024_param(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
+        return NGX_CONF_ERROR;
+    }
+
     /* a temporary 512-bit RSA key is required for export versions of MSIE */
     if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) {
         return NGX_CONF_ERROR;
Index: src/http/modules/ngx_http_ssl_module.h
===================================================================
--- src/http/modules/ngx_http_ssl_module.h	(revision 1362)
+++ src/http/modules/ngx_http_ssl_module.h	(working copy)
@@ -31,6 +31,7 @@
 
     ngx_str_t                       certificate;
     ngx_str_t                       certificate_key;
+    ngx_str_t                       dhparam;
     ngx_str_t                       client_certificate;
 
     ngx_str_t                       ciphers;
Index: src/event/ngx_event_openssl.c
===================================================================
--- src/event/ngx_event_openssl.c	(revision 1362)
+++ src/event/ngx_event_openssl.c	(working copy)
@@ -352,6 +352,40 @@
 
 
 ngx_int_t
+ngx_ssl_dh1024_param(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
+{
+    DH   *dh;
+    BIO  *bio;
+
+    if (file->len == 0) {
+        return NGX_OK;
+    }
+
+    if (ngx_conf_full_name(cf->cycle, file, 1) == NGX_ERROR) {
+        return NGX_ERROR;
+    }
+
+    bio = BIO_new_file((char *) file->data, "r");
+    if (bio == NULL) {
+        return NGX_ERROR;
+    }
+
+    dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+    if (dh == NULL) {
+        BIO_free(bio);
+        return NGX_ERROR;
+    }
+
+    SSL_CTX_set_tmp_dh(ssl->ctx, dh);
+
+    DH_free(dh);
+    BIO_free(bio);
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)
 {
     ngx_ssl_connection_t  *sc;
Index: src/event/ngx_event_openssl.h
===================================================================
--- src/event/ngx_event_openssl.h	(revision 1362)
+++ src/event/ngx_event_openssl.h	(working copy)
@@ -101,6 +101,7 @@
 ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_str_t *cert, ngx_int_t depth);
 ngx_int_t ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl);
+ngx_int_t ngx_ssl_dh1024_param(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
 ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
     ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout);
 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,


More information about the nginx mailing list