nginx and ephemeral Diffie-Hellman keys
Igor Sysoev
is at rambler-co.ru
Fri Jun 13 18:53:21 MSD 2008
On Fri, Jun 13, 2008 at 06:06:37PM +0400, Igor Sysoev wrote:
> On Fri, Jun 13, 2008 at 01:52:35PM +0200, Jauder Ho wrote:
>
> > Thanks much! I just applied the patch (to 0.7.1) and tried it out. The
> > patch works as expected and supports both strong prime and DSA style DH
> > keys.
> >
> > For the record, the DH keys were generated with the following commands
> > (with the dsaparam being more efficient but less secure. see dhparam man
> > page).
> >
> > openssl dhparam -out dh1024.pem -5 1024
> > openssl dhparam -dsaparam -out dh1024dsa.pem -5 1024
>
> I'm going to use some hardcoded pregenerated DH parameters (as Apache does)
> and allow to override them using the ssl_dhparam directive.
Here is updated patch.
> > Igor Sysoev wrote:
> >
> > >
> > > nginx does not support DH keys.
> > > The attached patch adds ssl_dhparam directive:
> > >
> > > ssl_dhparam /path/to/PEM_DHparam;
--
Igor Sysoev
http://sysoev.ru/en/
-------------- next part --------------
Index: src/http/modules/ngx_http_ssl_module.c
===================================================================
--- src/http/modules/ngx_http_ssl_module.c (revision 1362)
+++ src/http/modules/ngx_http_ssl_module.c (working copy)
@@ -72,6 +72,13 @@
offsetof(ngx_http_ssl_srv_conf_t, certificate_key),
NULL },
+ { ngx_string("ssl_dhparam"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, dhparam),
+ NULL },
+
{ ngx_string("ssl_protocols"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,
ngx_conf_set_bitmask_slot,
@@ -287,12 +294,10 @@
* set by ngx_pcalloc():
*
* sscf->protocols = 0;
- * sscf->certificate.len = 0;
- * sscf->certificate.data = NULL;
- * sscf->certificate_key.len = 0;
- * sscf->certificate_key.data = NULL;
- * sscf->client_certificate.len = 0;
- * sscf->client_certificate.data = NULL;
+ * sscf->certificate = { 0, NULL };
+ * sscf->certificate_key = { 0, NULL };
+ * sscf->dhparam = { 0, NULL };
+ * sscf->client_certificate = { 0, NULL };
* sscf->ciphers.len = 0;
* sscf->ciphers.data = NULL;
* sscf->shm_zone = NULL;
@@ -342,6 +347,8 @@
ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
NGX_DEFLAUT_CERTIFICATE_KEY);
+ ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
+
ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
"");
@@ -409,6 +416,10 @@
#endif
+ if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
+ return NGX_CONF_ERROR;
+ }
+
/* a temporary 512-bit RSA key is required for export versions of MSIE */
if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) {
return NGX_CONF_ERROR;
Index: src/http/modules/ngx_http_ssl_module.h
===================================================================
--- src/http/modules/ngx_http_ssl_module.h (revision 1362)
+++ src/http/modules/ngx_http_ssl_module.h (working copy)
@@ -31,6 +31,7 @@
ngx_str_t certificate;
ngx_str_t certificate_key;
+ ngx_str_t dhparam;
ngx_str_t client_certificate;
ngx_str_t ciphers;
Index: src/event/ngx_event_openssl.c
===================================================================
--- src/event/ngx_event_openssl.c (revision 1362)
+++ src/event/ngx_event_openssl.c (working copy)
@@ -182,6 +182,7 @@
SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
#endif
+ SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
if (ngx_ssl_protocols[protocols >> 1] != 0) {
SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]);
@@ -352,6 +353,89 @@
ngx_int_t
+ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
+{
+ DH *dh;
+ BIO *bio;
+
+ /*
+ * -----BEGIN DH PARAMETERS-----
+ * MIGHAoGBALu8LcrYRnSQfEP89YDpz9vZWKP1aLQtSwju1OsPs1BMbAMCducQgAxc
+ * y7qokiYUxb7spWWl/fHSh6K8BJvmd4Bg6RqSp1fjBI9osHb302zI8pul34HcLKcl
+ * 7OZicMyaUDXYzs7vnqAnSmOrHlj6/UmI0PZdFGdX2gcd8EXP4WubAgEC
+ * -----END DH PARAMETERS-----
+ */
+
+ static unsigned char dh1024_p[] = {
+ 0xBB, 0xBC, 0x2D, 0xCA, 0xD8, 0x46, 0x74, 0x90, 0x7C, 0x43, 0xFC, 0xF5,
+ 0x80, 0xE9, 0xCF, 0xDB, 0xD9, 0x58, 0xA3, 0xF5, 0x68, 0xB4, 0x2D, 0x4B,
+ 0x08, 0xEE, 0xD4, 0xEB, 0x0F, 0xB3, 0x50, 0x4C, 0x6C, 0x03, 0x02, 0x76,
+ 0xE7, 0x10, 0x80, 0x0C, 0x5C, 0xCB, 0xBA, 0xA8, 0x92, 0x26, 0x14, 0xC5,
+ 0xBE, 0xEC, 0xA5, 0x65, 0xA5, 0xFD, 0xF1, 0xD2, 0x87, 0xA2, 0xBC, 0x04,
+ 0x9B, 0xE6, 0x77, 0x80, 0x60, 0xE9, 0x1A, 0x92, 0xA7, 0x57, 0xE3, 0x04,
+ 0x8F, 0x68, 0xB0, 0x76, 0xF7, 0xD3, 0x6C, 0xC8, 0xF2, 0x9B, 0xA5, 0xDF,
+ 0x81, 0xDC, 0x2C, 0xA7, 0x25, 0xEC, 0xE6, 0x62, 0x70, 0xCC, 0x9A, 0x50,
+ 0x35, 0xD8, 0xCE, 0xCE, 0xEF, 0x9E, 0xA0, 0x27, 0x4A, 0x63, 0xAB, 0x1E,
+ 0x58, 0xFA, 0xFD, 0x49, 0x88, 0xD0, 0xF6, 0x5D, 0x14, 0x67, 0x57, 0xDA,
+ 0x07, 0x1D, 0xF0, 0x45, 0xCF, 0xE1, 0x6B, 0x9B
+ };
+
+ static unsigned char dh1024_g[] = { 0x02 };
+
+
+ if (file->len == 0) {
+
+ dh = DH_new();
+ if (dh == NULL) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "DH_new() failed");
+ return NGX_ERROR;
+ }
+
+ dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
+ dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
+
+ if (dh->p == NULL || dh->g == NULL) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "BN_bin2bn() failed");
+ DH_free(dh);
+ return NGX_ERROR;
+ }
+
+ SSL_CTX_set_tmp_dh(ssl->ctx, dh);
+
+ DH_free(dh);
+
+ return NGX_OK;
+ }
+
+ if (ngx_conf_full_name(cf->cycle, file, 1) == NGX_ERROR) {
+ return NGX_ERROR;
+ }
+
+ bio = BIO_new_file((char *) file->data, "r");
+ if (bio == NULL) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "BIO_new_file(\"%s\") failed", file->data);
+ return NGX_ERROR;
+ }
+
+ dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+ if (dh == NULL) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "PEM_read_bio_DHparams(\"%s\") failed", file->data);
+ BIO_free(bio);
+ return NGX_ERROR;
+ }
+
+ SSL_CTX_set_tmp_dh(ssl->ctx, dh);
+
+ DH_free(dh);
+ BIO_free(bio);
+
+ return NGX_OK;
+}
+
+
+ngx_int_t
ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)
{
ngx_ssl_connection_t *sc;
Index: src/event/ngx_event_openssl.h
===================================================================
--- src/event/ngx_event_openssl.h (revision 1362)
+++ src/event/ngx_event_openssl.h (working copy)
@@ -101,6 +101,7 @@
ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_int_t depth);
ngx_int_t ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl);
+ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout);
ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
Index: src/mail/ngx_mail_ssl_module.c
===================================================================
--- src/mail/ngx_mail_ssl_module.c (revision 1362)
+++ src/mail/ngx_mail_ssl_module.c (working copy)
@@ -76,6 +76,13 @@
offsetof(ngx_mail_ssl_conf_t, certificate_key),
NULL },
+ { ngx_string("ssl_dhparam"),
+ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_MAIL_SRV_CONF_OFFSET,
+ offsetof(ngx_mail_ssl_conf_t, dhparam),
+ NULL },
+
{ ngx_string("ssl_protocols"),
NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE,
ngx_conf_set_bitmask_slot,
@@ -163,10 +170,9 @@
* set by ngx_pcalloc():
*
* scf->protocols = 0;
- * scf->certificate.len = 0;
- * scf->certificate.data = NULL;
- * scf->certificate_key.len = 0;
- * scf->certificate_key.data = NULL;
+ * scf->certificate = { 0, NULL };
+ * scf->certificate_key = { 0, NULL };
+ * scf->dhparam = { 0, NULL };
* scf->ciphers.len = 0;
* scf->ciphers.data = NULL;
* scf->shm_zone = NULL;
@@ -213,6 +219,8 @@
ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
NGX_DEFLAUT_CERTIFICATE_KEY);
+ ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
+
ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFLAUT_CIPHERS);
@@ -256,6 +264,10 @@
#endif
+ if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
+ return NGX_CONF_ERROR;
+ }
+
if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) {
return NGX_CONF_ERROR;
}
Index: src/mail/ngx_mail_ssl_module.h
===================================================================
--- src/mail/ngx_mail_ssl_module.h (revision 1362)
+++ src/mail/ngx_mail_ssl_module.h (working copy)
@@ -34,6 +34,7 @@
ngx_str_t certificate;
ngx_str_t certificate_key;
+ ngx_str_t dhparam;
ngx_str_t ciphers;
More information about the nginx
mailing list