[PATCH 1 of 2] SSL: support for TLSv1.3 certificate compression (RFC 8879)

Mon Apr 17 05:21:19 UTC 2023

Hello!

On Wed, Apr 12, 2023 at 04:55:49PM +0400, Sergey Kandaurov wrote:

> # HG changeset patch
> # User Sergey Kandaurov <pluknet at nginx.com>
> # Date 1681304029 -14400
> #      Wed Apr 12 16:53:49 2023 +0400
> # Node ID 06458cd5733cd2ffaa4e2d26d357524a0934a7eb
> # Parent  5f1d05a21287ba0290dd3a17ad501595b442a194
> SSL: support for TLSv1.3 certificate compression (RFC 8879).
> 
> Certificates are precompressed using the "ssl_certificate_compression"
> directive, disabled by default.  A negotiated certificate-compression
> algorithm depends on the OpenSSL library builtin support.

While not exactly relevant to the patch, looking into OpenSSL's 
master branch I don't see any obvious limits on the certificate 
expansion, except the fact that uncompressed length is limited to 
a 24-bit value.  Is it indeed an easy way to allocate 16 MB per 
connection?

(When I see "OpenSSL" and "compression" used together, I tend to 
look for a resource usage audit, a security audit, and the "no 
compression" option.)

Also, it might make sense to add a note to the commit log that 
this functionality is expected to appear in OpenSSL 3.2.

> 
> diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c
> +++ b/src/event/ngx_event_openssl.c
> @@ -847,6 +847,29 @@ ngx_ssl_password_callback(char *buf, int
>  
>  
>  ngx_int_t
> +ngx_ssl_certificate_compression(ngx_conf_t *cf, ngx_ssl_t *ssl,
> +    ngx_uint_t enable)
> +{
> +    if (!enable) {
> +        return NGX_OK;
> +    }
> +
> +#ifdef TLSEXT_comp_cert_none
> +
> +    if (SSL_CTX_compress_certs(ssl->ctx, 0)) {
> +        return NGX_OK;
> +    }
> +
> +#endif
> +
> +    ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
> +                  "\"ssl_certificate_compression\" ignored, not supported");

Please note that this option, contrary to the name, does not 
enable certificate compression, but rather pre-compresses server 
certificates.

Certificate compression is enabled by default for both client and 
server connections, and both sending and receiving certificates, 
unless disabled by the SSL_OP_NO_TX_CERTIFICATE_COMPRESSION / 
SSL_OP_NO_RX_CERTIFICATE_COMPRESSION options.  (Further, 
client-side seems to compress client certificates on each 
connection, which looks suboptimal for proxying to SSL upstream 
servers with client certificates.)

It might worth looking for a better name, or expanding the 
directive to actually disable compression unless it is enabled.

[...]

-- 
Maxim Dounin
http://mdounin.ru/