Opened 3 years ago
Closed 3 years ago
#2271 closed enhancement (wontfix)
Allow to specify the ssl engine methods using a directive
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | nginx-module | Version: | 1.10.x |
| Keywords: | SSL, Engine, Method | Cc: | |
| uname -a: | Linux 4.4.0-210-generic #242-Ubuntu SMP Fri Apr 16 09:57:56 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.10.3
built with OpenSSL 1.0.2zb-fips 23 Sep 2021 TLS SNI support enabled configure arguments: --crossbuild=Linux:x86_64 --with-endian=little --with-int=4 --with-long=8 --with-long-long=8 --with-ptr-size=8 --with-sig-atomic-t=8 --with-size-t=8 --with-off-t=8 --with-time-t=8 --with-sys-nerr=132 --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --prefix=/usr --with-http_auth_request_module --with-http_ssl_module --with-ipv6 --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module |
||
Description
Currently, the ssl_engine <name> directive allows to configure the hardware SSL accelerator for Nginx.
By default, the engine is set to handle all SSL methods:
engine = ENGINE_by_id((const char *) value[1].data);
if (engine == NULL) {
ngx_ssl_error(NGX_LOG_WARN, cf->log, 0,
"ENGINE_by_id(\"%V\") failed", &value[1]);
return NGX_CONF_ERROR;
}
if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) {
ngx_ssl_error(NGX_LOG_WARN, cf->log, 0,
"ENGINE_set_default(\"%V\", ENGINE_METHOD_ALL) failed",
&value[1]);
ENGINE_free(engine);
return NGX_CONF_ERROR;
}
In our application we want to configure the SSL engine only for certain methods, but there does not seem to be a suitable method to do so with the current Nginx functionality.
ENGINE_set_default(engine, ENGINE_METHOD_RAND | ENGINE_METHOD_CIPHERS)
Users might want to only use a subset of an ssl engine functionality, for example due to security concerns, performance issues, etc; related to certain methods of the engine.
Would it makes sense to make such an enhancement to Nginx, and will upstream be ok with us submitting a patch to implement it ?
Change History (4)
follow-up: 2 comment:1 by , 3 years ago
comment:2 by , 3 years ago
Replying to Maxim Dounin:
If needed, particular methods can be set in OpenSSL configuration. Further, engines are deprecated in OpenSSL 3.0. Summing the above, I don't think it'll make sense.
Thanks Maxim!
Just a question, I set this configuration to the global openssl.cnf file, but it did not work.
openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] foo = tpm_section [tpm_section] dynamic_path = /usr/lib/engines/libtpm.so engine_id = tpm #default_algorithms = ALL default_algorithms = RAND init = 1
Also, I tried specifiying the same on the Nginx service:
[Service] Type=forking Environment="OPENSSL_CONF=/etc/nginx/openssl.cnf"
And had the same results, Nginx is still using all methods from the engine.
Are these the right places to configure the engine, or I'm missing something.
Thanks in advance!
comment:3 by , 3 years ago
Nevermind, I managed to accomplish it by removing the ssl_engine directive from Nginx configuration:
- ssl_engine <name>
And setting the openssl configuration on the service file:
Environment="OPENSSL_CONF=/etc/nginx/openssl.cnf"
comment:4 by , 3 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
Glad it works for you. Closing this, as ssl_engine improvements is not something we are going to implement.
If needed, particular methods can be set in OpenSSL configuration. Further, engines are deprecated in OpenSSL 3.0. Summing the above, I don't think it'll make sense.