RFC: PolarSSL support.

Yawning Angel yawning at schwanenlied.me
Sun Feb 17 13:21:33 UTC 2013 

Hello,

The diff containing my first pass implementation is available at:
http://www.schwanenlied.me/yawning/nginx/nginx-1.3.12-polarssl-20130217.diff.gz

Behavioral differences:
 * ssl_ciphers_list format is different, though it will accept the
   default cipher list setting ("HIGH:!aNULL:!MD5").
   For testing purposes I used:
"TLS-RSA-WITH-RC4-128-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256:TLS-RSA-WITH-AES-256-CBC-SHA256:TLS-RSA-WITH-AES-256-GCM-SHA384:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA".
 * ssl_prefer_server_ciphers does not do anything.
 * I intentionally did not implement support for PolarSSL's builtin
   session cache because it's not very good (It's a linked list).
   shared and none should work.
 * SSLv2 is not supported by PolarSSL and will never be.
 * ECDH is not supported by PolarSSL yet but it is on their roadmap.
 * Stapling is not supported by PolarSSL.  Not sure if it will be.

Known issues:
 * When building with specifying the PolarSSL source directory with
   --with-polarssl=[path], the make used needs to be GNU make due to
   PolarSSL shipping with GNU make files.
 * ngx_http_upstream_roundrobin will not do SSL session reuse, since I
   intended for the patch to be minimally intrusive.  It's possible to
   re-add this functionality, with changes to the module.
 * My auto integration does not have support for building on non-U*ix
   systems, because I do not have a windows development environment
   setup (PolarSSL supports the platform however).
 * SNI does not work because I haven't gone and written it yet.
 * Clients that send a SSLv2 Client Hello will fail to handshake
   (PolarSSL issue.  They used to support this backward compatibility
   option, but support for it was pulled in v1.2.0, I posted on their
   support forums asking about this).
 * ngx_md5 and ngx_sha1 integration still not done yet, so on some
   systems[0] this may try to link against OpenSSL and have the compile
   or link fail.  This is a build system issue and not a code issue.

I haven't tested the client functionality (proxy modules) or mail, but I
have no reason to expect that it shouldn't just work.

Most of the code is shamelessly cribbed from ngx_event_openssl.[h,c], so
I feel good about most of the code.  The auto stuff wasn't all that
documented so I'm not sure if I did it right (and it still needs work).

Thoughts, comments, feedback appreciated.

Regards,

-- 
Yawning Angel

[0]: I did the development on FreeBSD which has system MD5 and SHA1.

More information about the nginx-devel mailing list