Add support for PSK cipher suites patch

Sékine Coulibaly scoulibaly at gmail.com
Fri Jan 26 08:54:01 UTC 2018


Nate,

In the meanwhile I followed the thread and actually found your revised
patches. I was able to apply them successfully.

I realised I didn't ran configure with the --with-http-ssl flag (since I
don't use http) when building nginx. This explains why the ssl_psk_file was
not recognized. After building http module, the parameter was recognized
properly.

However, since I use stream and not http, I'll not be able to test this
patch since it only wotks for ssl http module.

Regarding the PSK, in a DTLS use case I prefer loading the PSK file on
startup in an in-memory store for example. Then, if some keys are to be
changed while the server is running, the in-memory store is refreshed
without stopping the server (think SIGHUP or reload). This avoid all
clients being disconnected when the server is restarted to reload the PSK
file.

Would any progress being made on this on the stream module I'll be able to
give it a try.

Thank you !


2018-01-26 5:14 GMT+01:00 Karstens, Nate <Nate.Karstens at garmin.com>:

> Sékine,
>
>
>
> The link you sent is old, the latest set of patches is here:
>
>
>
> http://mailman.nginx.org/pipermail/nginx-devel/2017-September/010460.html
>
>
>
> Does that improve things?
>
>
>
> These were developed using TLS, not DTLS. I don’t have any experience with
> DTLS, so that might be unrelated.
>
>
>
> One of the conversations we had earlier in the development process was
> choosing between two different approaches to managing the PSK file:
>
>
>
>    1. The PSK file may be updated as needed (so it must be readable by
>    the worker threads). This is the approach used with the current patches.
>    2. The PSK file is read into memory once at startup by the master
>    process. This allows the file permissions to be read only for root, but
>    requires the config file to be refreshed if the PSK file is changed.
>
>
>
> Would you mind providing feedback on which approach works better for your
> environment, and why? Sending it to the mailing list is preferred, or you
> can just reply to this email.
>
>
>
> Thanks,
>
>
>
> Nate
>
>
>
> *From:* Sékine Coulibaly [mailto:scoulibaly at gmail.com]
> *Sent:* Thursday, January 25, 2018 10:23 AM
> *To:* Karstens, Nate <Nate.Karstens at garmin.com>; mdounin at mdounin.ru
> *Subject:* Fwd: Add support for PSK cipher suites patch
>
>
>
>
>
> ---------- Forwarded message ----------
> From: *Sékine Coulibaly* <scoulibaly at gmail.com>
> Date: 2018-01-25 17:07 GMT+01:00
> Subject: Add support for PSK cipher suites patch
> To: nginx at nginx.org
>
> Nate,Maxim,
>
> I found a patch here (http://mailman.nginx.org/pipermail/nginx-devel/2017-September/010449.html) regarding the PSK spport in Nginx. I can not make the new parameter ssl_psk_file work.
>
> I applied it to release-1.13.5 successfully.
>
> I updated my nginx.conf to
>
> stream {
>
>   upstream dtls_udp_upstreams {
>
>     hash $remote_addr:remote_port;
>
>     server preprod.mycorp.com:5685;
>
>   }
>
>
>
>
>
>   server {
>
>     listen 5684 udp ssl;
>
>     ssl_protocols DTLSv1.2;
>
>     ssl_ciphers PSK-AES128-CBC-SHA;
>
>     ssl_psk_file /tmp/cred.txt;
>
>     ssl_certificate /tmp/server.pem;
>
>     ssl_certificate_key /tmp/server.key;
>
>     proxy_pass dtls_udp_upstreams;
>
>   }
>
>
>
> My issue is that although /tmp/cred.txt file exists, Nginx returns :
>
> nginx: [emerg] unknown directive "ssl_psk_file" in /tmp/nginx.conf:26.
>
>
>
> I checked the source files, it looks like the patch has been correctly applied.
>
> Would you mind posting the complete/corrected patch I could apply and test ?
>
> I'm using DTLS client with PSK load-balancer and I could experiment the setup.
>
>
>
> My patching application looks like :
>
> git checkout release-1.13.5
>
> patch -p1 -i pskpatch.diff
>
>
>
> Thank you !
>
>
>
> ------------------------------
>
> CONFIDENTIALITY NOTICE: This email and any attachments are for the sole
> use of the intended recipient(s) and contain information that may be Garmin
> confidential and/or Garmin legally privileged. If you have received this
> email in error, please notify the sender by reply email and delete the
> message. Any disclosure, copying, distribution or use of this communication
> (including attachments) by someone other than the intended recipient is
> prohibited. Thank you.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20180126/c1006ed1/attachment-0001.html>


More information about the nginx mailing list