[PATCH 1 of 2] SSL: support for TLSv1.3 certificate compression (RFC 8879)
Sergey Kandaurov
pluknet at nginx.com
Wed Apr 12 12:55:49 UTC 2023
# HG changeset patch
# User Sergey Kandaurov <pluknet at nginx.com>
# Date 1681304029 -14400
# Wed Apr 12 16:53:49 2023 +0400
# Node ID 06458cd5733cd2ffaa4e2d26d357524a0934a7eb
# Parent 5f1d05a21287ba0290dd3a17ad501595b442a194
SSL: support for TLSv1.3 certificate compression (RFC 8879).
Certificates are precompressed using the "ssl_certificate_compression"
directive, disabled by default. A negotiated certificate-compression
algorithm depends on the OpenSSL library builtin support.
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -847,6 +847,29 @@ ngx_ssl_password_callback(char *buf, int
ngx_int_t
+ngx_ssl_certificate_compression(ngx_conf_t *cf, ngx_ssl_t *ssl,
+ ngx_uint_t enable)
+{
+ if (!enable) {
+ return NGX_OK;
+ }
+
+#ifdef TLSEXT_comp_cert_none
+
+ if (SSL_CTX_compress_certs(ssl->ctx, 0)) {
+ return NGX_OK;
+ }
+
+#endif
+
+ ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
+ "\"ssl_certificate_compression\" ignored, not supported");
+
+ return NGX_OK;
+}
+
+
+ngx_int_t
ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
ngx_uint_t prefer_server_ciphers)
{
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -189,6 +189,8 @@ ngx_int_t ngx_ssl_certificate(ngx_conf_t
ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords);
ngx_int_t ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords);
+ngx_int_t ngx_ssl_certificate_compression(ngx_conf_t *cf, ngx_ssl_t *ssl,
+ ngx_uint_t enable);
ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
ngx_uint_t prefer_server_ciphers);
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -121,6 +121,13 @@ static ngx_command_t ngx_http_ssl_comma
0,
NULL },
+ { ngx_string("ssl_certificate_compression"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, certificate_compression),
+ NULL },
+
{ ngx_string("ssl_dhparam"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot,
@@ -581,6 +588,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t
sscf->enable = NGX_CONF_UNSET;
sscf->prefer_server_ciphers = NGX_CONF_UNSET;
+ sscf->certificate_compression = NGX_CONF_UNSET;
sscf->early_data = NGX_CONF_UNSET;
sscf->reject_handshake = NGX_CONF_UNSET;
sscf->buffer_size = NGX_CONF_UNSET_SIZE;
@@ -628,6 +636,9 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
ngx_conf_merge_value(conf->prefer_server_ciphers,
prev->prefer_server_ciphers, 0);
+ ngx_conf_merge_value(conf->certificate_compression,
+ prev->certificate_compression, 0);
+
ngx_conf_merge_value(conf->early_data, prev->early_data, 0);
ngx_conf_merge_value(conf->reject_handshake, prev->reject_handshake, 0);
@@ -791,6 +802,13 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
{
return NGX_CONF_ERROR;
}
+
+ if (ngx_ssl_certificate_compression(cf, &conf->ssl,
+ conf->certificate_compression)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
+ }
}
conf->ssl.buffer_size = conf->buffer_size;
diff --git a/src/http/modules/ngx_http_ssl_module.h b/src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h
+++ b/src/http/modules/ngx_http_ssl_module.h
@@ -20,6 +20,7 @@ typedef struct {
ngx_ssl_t ssl;
ngx_flag_t prefer_server_ciphers;
+ ngx_flag_t certificate_compression;
ngx_flag_t early_data;
ngx_flag_t reject_handshake;
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -111,6 +111,13 @@ static ngx_command_t ngx_mail_ssl_comma
0,
NULL },
+ { ngx_string("ssl_certificate_compression"),
+ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_MAIL_SRV_CONF_OFFSET,
+ offsetof(ngx_mail_ssl_conf_t, certificate_compression),
+ NULL },
+
{ ngx_string("ssl_dhparam"),
NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot,
@@ -329,6 +336,7 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf)
scf->passwords = NGX_CONF_UNSET_PTR;
scf->conf_commands = NGX_CONF_UNSET_PTR;
scf->prefer_server_ciphers = NGX_CONF_UNSET;
+ scf->certificate_compression = NGX_CONF_UNSET;
scf->verify = NGX_CONF_UNSET_UINT;
scf->verify_depth = NGX_CONF_UNSET_UINT;
scf->builtin_session_cache = NGX_CONF_UNSET;
@@ -359,6 +367,9 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
ngx_conf_merge_value(conf->prefer_server_ciphers,
prev->prefer_server_ciphers, 0);
+ ngx_conf_merge_value(conf->certificate_compression,
+ prev->certificate_compression, 0);
+
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
(NGX_CONF_BITMASK_SET
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
@@ -467,6 +478,13 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
return NGX_CONF_ERROR;
}
+ if (ngx_ssl_certificate_compression(cf, &conf->ssl,
+ conf->certificate_compression)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
+ }
+
if (conf->verify) {
if (conf->client_certificate.len == 0 && conf->verify != 3) {
diff --git a/src/mail/ngx_mail_ssl_module.h b/src/mail/ngx_mail_ssl_module.h
--- a/src/mail/ngx_mail_ssl_module.h
+++ b/src/mail/ngx_mail_ssl_module.h
@@ -22,6 +22,7 @@
typedef struct {
ngx_flag_t enable;
ngx_flag_t prefer_server_ciphers;
+ ngx_flag_t certificate_compression;
ngx_ssl_t ssl;
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -114,6 +114,13 @@ static ngx_command_t ngx_stream_ssl_com
0,
NULL },
+ { ngx_string("ssl_certificate_compression"),
+ NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_STREAM_SRV_CONF_OFFSET,
+ offsetof(ngx_stream_ssl_conf_t, certificate_compression),
+ NULL },
+
{ ngx_string("ssl_dhparam"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot,
@@ -674,6 +681,7 @@ ngx_stream_ssl_create_conf(ngx_conf_t *c
scf->passwords = NGX_CONF_UNSET_PTR;
scf->conf_commands = NGX_CONF_UNSET_PTR;
scf->prefer_server_ciphers = NGX_CONF_UNSET;
+ scf->certificate_compression = NGX_CONF_UNSET;
scf->verify = NGX_CONF_UNSET_UINT;
scf->verify_depth = NGX_CONF_UNSET_UINT;
scf->builtin_session_cache = NGX_CONF_UNSET;
@@ -702,6 +710,9 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf
ngx_conf_merge_value(conf->prefer_server_ciphers,
prev->prefer_server_ciphers, 0);
+ ngx_conf_merge_value(conf->certificate_compression,
+ prev->certificate_compression, 0);
+
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
(NGX_CONF_BITMASK_SET
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
@@ -828,6 +839,13 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf
{
return NGX_CONF_ERROR;
}
+
+ if (ngx_ssl_certificate_compression(cf, &conf->ssl,
+ conf->certificate_compression)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
+ }
}
if (conf->verify) {
diff --git a/src/stream/ngx_stream_ssl_module.h b/src/stream/ngx_stream_ssl_module.h
--- a/src/stream/ngx_stream_ssl_module.h
+++ b/src/stream/ngx_stream_ssl_module.h
@@ -18,6 +18,7 @@ typedef struct {
ngx_msec_t handshake_timeout;
ngx_flag_t prefer_server_ciphers;
+ ngx_flag_t certificate_compression;
ngx_ssl_t ssl;
More information about the nginx-devel
mailing list