Adding OpenSSL ciphersuites at compile time

Thomas Ward teward at dark-net.net
Thu Apr 5 15:56:07 UTC 2018


If I remember correctly, the available cipher suites to NGINX are based
on what's compiled into the underlying SSL libraries that NGINX builds
against.  So if the underlying OpenSSL has access to ChaCha ciphers in
its ciphers that're compiled into it, then NGINX can utilize those
ChaCha ciphers.

I don't believe there's explicit NGINX compile-time configuration
options to enable ciphers at runtime, as this is dependent on the
OpenSSL libraries statically built into your binaries, and therefore
whatever OpenSSL cipher suites are enabled in it.  You can then
enable/disable the individual ciphers to be 'offered' by NGINX the
`ssl_ciphers` configuration parameter [1] to use ciphers that might not
be in the default cipherstring (which is "HIGH:!aNULL:!MD5" for
reference), though, which is the 'standard' way to define what cipher
suites should/shouldn't be used for SSL in the nginx instance when it's
running and serving SSL connections. 

Consider, though, that any ciphers you put in the cipherstring will only
be usable if the underlying SSL libraries (statically compiled in or
not) support those ciphers that are defined in the cipher string.


Thomas


[1]: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers


On 04/05/2018 11:35 AM, Neil Craig wrote:
> Hi
>
> I build a customised nginx binary for my project, this is statically
> compiled against openssl (via —with-openssl). Does anyone know if it’s
> possible to add a configure option to enable specific ciphersuites?
> The OpenSSL docs are here:
>
> https://wiki.openssl.org/index.php/Compilation_and_Installation
>
> And these say that you can set a configure option of
> “enable-<ciphersuite>” if compiling OpenSSL directly. Is there some
> way I can tell the nginx build to do that?
>
> Cheers
> Neil
>
>  
>
> ----------------------------
>
> http://www.bbc.co.uk <http://www.bbc.co.uk>
> This e-mail (and any attachments) is confidential and may contain
> personal views which are not the views of the BBC unless specifically
> stated.
> If you have received it in error, please delete it from your system.
> Do not use, copy or disclose the information in any way nor act in
> reliance on it and notify the sender immediately.
> Please note that the BBC monitors e-mails sent or received.
> Further communication will signify your consent to this.
>
> ---------------------
>
>
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20180405/502ca360/attachment-0001.html>


More information about the nginx-devel mailing list