RFC: PolarSSL support.

Yawning Angel yawning at schwanenlied.me
Sat Feb 16 12:16:32 UTC 2013


Hello,

In my (regrettably) copious spare time I have been working on adding
support for PolarSSL[0] as an alternative to OpenSSL.  I'm getting close
to the point where I am comfortable with the code and would like to see
if there is interest from the community and developers for this option.

What I have so far:
 * src/event/ngx_event_polarssl.[h,c] (and some kludges to the build
   system so I can test my code).
 * Works in so much that a webserver compiled with my code can serve
   https (still needs more testing and code review).

What needs to be done before it's usable:
 * Need to implement ngx_ssl_trusted_certificate, just haven't gotten
   around to it yet.
 * Need to write implementations for ngx_ssl_get_session (and
   ngx_ssl_free_session) so that ngx_http_upstream_round_robin works
   again.  This should be relatively easy but I need to figure out how
   the module in question expects these to behave (The OpenSSL versions
   are #defines to OpenSSL routines and PolarSSL's internal behavior is
   reasonably different here).
 * Logging related cleanup.
 * PolarSSL supports SNI, but in the interest of keeping my changes
   self contained (Currently no functional changes to the nginx code
   apart from the addition of my module). I haven't implemented that
   yet because it requires modifying the http SSL module.
 * Need to figure out the nginx build system properly and integrate
   building with PolarSSL properly.
 * Need to see if the mail protocol support works.

What I'd like to do after the first revision:
 * A few of the modules call OpenSSL routines (Eg:
   SSL_CTX_set_cipher_list, X509_verify_cert_error_string).  Currently
   I provide wrappers for those routines in ngx_event_polarssl.c but
   they should be abstracted to ngx_ functions (Eg:
   ngx_set_cipher_list).
 * I haven't gotten around to making ngx_md5 and ngx_sha1 use PolarSSL
   yet.  Would be trivial once my module is properly integrated into
   the build system.

This post is mostly just trying to see if people would find this a
useful addition before I start on ticking items off the list.

Regards,

-- 
Yawning Angel

[0]: http://www.polarssl.org



More information about the nginx-devel mailing list