[PATCH] Add ssl_provider directive (ticket #2449)

Mathew Heard mat999 at gmail.com
Sun Mar 5 01:02:23 UTC 2023


But the way have you benchmarked this?

On Sun, 5 Mar 2023, 11:55 am Nick Bogdanov, <nickrbogdanov at gmail.com> wrote:

> # HG changeset patch
> # User Nick Bogdanov <nickrbogdanov at gmail.com>
> # Date 1677975659 28800
> #      Sat Mar 04 16:20:59 2023 -0800
> # Node ID 8cb34ae16de2408cbe91832194baac6ae299f251
> # Parent  cffaf3f2eec8fd33605c2a37814f5ffc30371989
> Add ssl_provider directive (ticket #2449)
>
> This change allows nginx to load modules that use the new OpenSSL
> Provider interface.  My primary use case involves securing the
> webserver's private TLS key using a TPM2 chip, so it can't be stolen
> if the server is compromised.  The way I tested this is as follows:
>
> 1. Install basic TPM2 support.  On Ubuntu 22.04 I used
>
>     apt install tpm2-tools tpm2-abrmd libtss2-tcti-tabrmd0
>
> 2. Install https://github.com/tpm2-software/tpm2-openssl .  Version
> 1.2.0-rc0 or higher is required.  At the time of this writing, it's
> likely you'll have to build from source.
>
> 3. Generate a parent key on your TPM (one-time setup):
>
>     tpm2_createprimary -C o -g sha256 -G ecc -c primary_sh.ctx
>
>     tpm2_evictcontrol -C o -c 0x81000001 || true
>
>     tpm2_evictcontrol -C o -c primary_sh.ctx 0x81000001
>
> 4. Generate a TPM-backed RSA privkey and a corresponding self-signed
> x509 cert:
>
>     openssl genpkey -provider tpm2 -algorithm RSA
>         -pkeyopt parent:0x81000001 -out rsakey.pem
>
>     openssl req -provider tpm2 -provider default -x509
>         -subj "/C=GB/CN=foo" -key rsakey.pem -out rsacert.pem
>
> rsakey.pem will start with "-----BEGIN TSS2 PRIVATE KEY-----" to indicate
> that the key material is encrypted with a key that is only available inside
> the TPM chip.
>
> 5. At the start of nginx.conf, tell nginx to use the tpm2 provider
> first, and then fall back to the default provider for unsupported
> operations:
>
>     ssl_provider tpm2;
>     ssl_provider default;
>
> 6. Inside a "server {" section for an existing TLS server, point nginx
> to the new TPM-backed cert and key:
>
>     ssl_certificate         /tmp/rsacert.pem;
>     ssl_certificate_key     /tmp/rsakey.pem;
>
> If the ssl_provider option took effect, it will be able to recognize
> the new TSS2 rsakey.pem and instruct the TPM chip to handle the signing
> operation during the TLS handshake.
>
> diff -r cffaf3f2eec8 -r 8cb34ae16de2 contrib/vim/syntax/nginx.vim
> --- a/contrib/vim/syntax/nginx.vim      Thu Feb 02 23:38:48 2023 +0300
> +++ b/contrib/vim/syntax/nginx.vim      Sat Mar 04 16:20:59 2023 -0800
> @@ -620,6 +620,7 @@
>  syn keyword ngxDirective contained ssl_prefer_server_ciphers
>  syn keyword ngxDirective contained ssl_preread
>  syn keyword ngxDirective contained ssl_protocols
> +syn keyword ngxDirective contained ssl_provider
>  syn keyword ngxDirective contained ssl_reject_handshake
>  syn keyword ngxDirective contained ssl_session_cache
>  syn keyword ngxDirective contained ssl_session_ticket_key
> diff -r cffaf3f2eec8 -r 8cb34ae16de2 src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c     Thu Feb 02 23:38:48 2023 +0300
> +++ b/src/event/ngx_event_openssl.c     Sat Mar 04 16:20:59 2023 -0800
> @@ -90,6 +90,7 @@
>
>  static void *ngx_openssl_create_conf(ngx_cycle_t *cycle);
>  static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void
> *conf);
> +static char *ngx_openssl_provider(ngx_conf_t *cf, ngx_command_t *cmd,
> void *conf);
>  static void ngx_openssl_exit(ngx_cycle_t *cycle);
>
>
> @@ -102,6 +103,13 @@
>        0,
>        NULL },
>
> +    { ngx_string("ssl_provider"),
> +      NGX_MAIN_CONF|NGX_DIRECT_CONF|NGX_CONF_TAKE1,
> +      ngx_openssl_provider,
> +      0,
> +      0,
> +      NULL },
> +
>        ngx_null_command
>  };
>
> @@ -5939,6 +5947,26 @@
>  #endif
>  }
>
> +static char *
> +ngx_openssl_provider(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
> +{
> +#ifdef OPENSSL_PROVIDER_SUPPORT
> +    ngx_str_t  *value = cf->args->elts;
> +
> +    if (OSSL_PROVIDER_load(NULL, (char *)value[1].data) == NULL) {
> +        ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
> +                      "OSSL_PROVIDER_load(\"%V\") failed", &value[1]);
> +        return NGX_CONF_ERROR;
> +    }
> +
> +    return NGX_CONF_OK;
> +
> +#else
> +
> +    return "is not supported";
> +
> +#endif
> +}
>
>  static void
>  ngx_openssl_exit(ngx_cycle_t *cycle)
> diff -r cffaf3f2eec8 -r 8cb34ae16de2 src/event/ngx_event_openssl.h
> --- a/src/event/ngx_event_openssl.h     Thu Feb 02 23:38:48 2023 +0300
> +++ b/src/event/ngx_event_openssl.h     Sat Mar 04 16:20:59 2023 -0800
> @@ -28,6 +28,10 @@
>  #ifndef OPENSSL_NO_OCSP
>  #include <openssl/ocsp.h>
>  #endif
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +#include <openssl/provider.h>
> +#define OPENSSL_PROVIDER_SUPPORT
> +#endif
>  #include <openssl/rand.h>
>  #include <openssl/x509.h>
>  #include <openssl/x509v3.h>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20230305/bd34ffe1/attachment.htm>


More information about the nginx-devel mailing list