nginx and ephemeral Diffie-Hellman keys
Igor Sysoev
is at rambler-co.ru
Fri Jun 13 14:51:09 MSD 2008
On Fri, Jun 13, 2008 at 04:54:45AM +0200, Jauder Ho wrote:
> I've been fighting with this all do so hopefully someone can help shed
> some light.
>
> I have a site configured to use SSL and it current does successfully
> negotiate SSL. However, I am not able for the life of me to get nginx to
> offer up DH keys/ciphers.
>
> What I am able to get negotiated is AES256-SHA. What I would like to be
> able to see is DHE-RSA-AES256-SHA
>
> The following is that I have set currently.
>
> ssl_prefer_server_ciphers on;
> ssl_protocols SSLv3 TLSv1;
>
> # Set the ciphers to use. See
> http://infinitesecond.blogspot.com/2008/03/recommended-sslciphersuite.html
> ssl_ciphers
> DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
>
> Using http://www.serversniff.net/sslcheck.php and vurbu.com:443, it
> looks like only RSA key exchanges are successful.
>
> I have concatenated the DH params to the certificate with no effect.
> dhparams was created with the following command
>
> openssl dhparam -dsaparam -out dh1024dsa.pem -5 1024
>
> Also looking at the nginx error log files, I see a lot of
>
> SSL23_GET_CLIENT_HELLO:unknown protocol
> SSL3_GET_CLIENT_HELLO:no shared cipher
>
> yet the odd thing is I am able to successfully access https://vurbu.com/
>
> nginx was compiled using the following flags.
>
> ~/src/nginx-0.7.1$ ./configure --with-http_ssl_module
> --add-module=../nginx-upstream-fair/ --with-http_gzip_static_module
>
> Any suggestions would be welcome.
nginx does not support DH keys.
The attached patch adds ssl_dhparam directive:
ssl_dhparam /path/to/PEM_DHparam;
--
Igor Sysoev
http://sysoev.ru/en/
-------------- next part --------------
Index: src/http/modules/ngx_http_ssl_module.c
===================================================================
--- src/http/modules/ngx_http_ssl_module.c (revision 1362)
+++ src/http/modules/ngx_http_ssl_module.c (working copy)
@@ -72,6 +72,13 @@
offsetof(ngx_http_ssl_srv_conf_t, certificate_key),
NULL },
+ { ngx_string("ssl_dhparam"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, dhparam),
+ NULL },
+
{ ngx_string("ssl_protocols"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,
ngx_conf_set_bitmask_slot,
@@ -287,12 +294,10 @@
* set by ngx_pcalloc():
*
* sscf->protocols = 0;
- * sscf->certificate.len = 0;
- * sscf->certificate.data = NULL;
- * sscf->certificate_key.len = 0;
- * sscf->certificate_key.data = NULL;
- * sscf->client_certificate.len = 0;
- * sscf->client_certificate.data = NULL;
+ * sscf->certificate = { 0, NULL };
+ * sscf->certificate_key = { 0, NULL };
+ * sscf->dhparam = { 0, NULL };
+ * sscf->client_certificate = { 0, NULL };
* sscf->ciphers.len = 0;
* sscf->ciphers.data = NULL;
* sscf->shm_zone = NULL;
@@ -342,6 +347,8 @@
ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
NGX_DEFLAUT_CERTIFICATE_KEY);
+ ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
+
ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
"");
@@ -409,6 +416,10 @@
#endif
+ if (ngx_ssl_dh1024_param(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
+ return NGX_CONF_ERROR;
+ }
+
/* a temporary 512-bit RSA key is required for export versions of MSIE */
if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) {
return NGX_CONF_ERROR;
Index: src/http/modules/ngx_http_ssl_module.h
===================================================================
--- src/http/modules/ngx_http_ssl_module.h (revision 1362)
+++ src/http/modules/ngx_http_ssl_module.h (working copy)
@@ -31,6 +31,7 @@
ngx_str_t certificate;
ngx_str_t certificate_key;
+ ngx_str_t dhparam;
ngx_str_t client_certificate;
ngx_str_t ciphers;
Index: src/event/ngx_event_openssl.c
===================================================================
--- src/event/ngx_event_openssl.c (revision 1362)
+++ src/event/ngx_event_openssl.c (working copy)
@@ -352,6 +352,40 @@
ngx_int_t
+ngx_ssl_dh1024_param(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
+{
+ DH *dh;
+ BIO *bio;
+
+ if (file->len == 0) {
+ return NGX_OK;
+ }
+
+ if (ngx_conf_full_name(cf->cycle, file, 1) == NGX_ERROR) {
+ return NGX_ERROR;
+ }
+
+ bio = BIO_new_file((char *) file->data, "r");
+ if (bio == NULL) {
+ return NGX_ERROR;
+ }
+
+ dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+ if (dh == NULL) {
+ BIO_free(bio);
+ return NGX_ERROR;
+ }
+
+ SSL_CTX_set_tmp_dh(ssl->ctx, dh);
+
+ DH_free(dh);
+ BIO_free(bio);
+
+ return NGX_OK;
+}
+
+
+ngx_int_t
ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)
{
ngx_ssl_connection_t *sc;
Index: src/event/ngx_event_openssl.h
===================================================================
--- src/event/ngx_event_openssl.h (revision 1362)
+++ src/event/ngx_event_openssl.h (working copy)
@@ -101,6 +101,7 @@
ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_int_t depth);
ngx_int_t ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl);
+ngx_int_t ngx_ssl_dh1024_param(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout);
ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
More information about the nginx
mailing list