[PATCH] Enable SSL_OP_PRIORITIZE_CHACHA for server-side SSL contexts

Maxim Dounin mdounin at mdounin.ru
Mon May 6 13:22:53 UTC 2019


On Sat, May 04, 2019 at 03:18:12AM +0200, Pascal Ernster wrote:

> [2019-05-04 02:37] Maxim Dounin:
> > Thank you for the patch.
> > See comments here:
> > 
> > https://trac.nginx.org/nginx/ticket/1445
> > 
> In the first comment on that ticket, you write
> > At most, we can consider a generic interface to set various OpenSSL options.
> Would there be a realistic chance of you accepting a patch that simply
> exposes OpenSSL's SSL_CONF_cmd() through the nginx config file(s)?
> It would of course do the obvious basic checks using
> SSL_CONF_cmd_value_type() like
> "Does the requested option exist in OpenSSL?",
> "If a file/directory was specified, does it exist and is it readable?",
> "If a relative file/directory was specified, prepend the nginx
> configuration directory path to the string.",
> and would of course check the return value of SSL_CONF_cmd() itself, but
> it would *not* try to do anything further like "Prevent the user from
> overriding settings made through other nginx configuration directives".
> Since I'm not too experienced in writing C code, it would be quite a bit
> of work for me, so I'd like to know beforehand if it would be worth the
> effort at all, or if you'd reject the patch anyhow.

As of now, such an option is considered.  But whether a 
patch will be accepted or not heavily depends on the patch quality 
and overral simplicity of the interface involved.

Note well that what your original patch does - that is, preferring 
ChaCha without any user-configurable options - can be easily 
achieved by using appropriate system-wide OpenSSL config.  If 
unsure, you may consider this approach instead.

Maxim Dounin

More information about the nginx-devel mailing list