Opened 4 weeks ago

Closed 2 weeks ago

#2271 closed enhancement (wontfix)

Allow to specify the ssl engine methods using a directive

Reported by: melvinitcr@… Owned by:
Priority: major Milestone:
Component: nginx-module Version: 1.10.x
Keywords: SSL, Engine, Method Cc:
uname -a: Linux 4.4.0-210-generic #242-Ubuntu SMP Fri Apr 16 09:57:56 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.10.3
built with OpenSSL 1.0.2zb-fips 23 Sep 2021
TLS SNI support enabled
configure arguments: --crossbuild=Linux:x86_64 --with-endian=little --with-int=4 --with-long=8 --with-long-long=8 --with-ptr-size=8 --with-sig-atomic-t=8 --with-size-t=8 --with-off-t=8 --with-time-t=8 --with-sys-nerr=132 --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --prefix=/usr --with-http_auth_request_module --with-http_ssl_module --with-ipv6 --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module

Description

Currently, the ssl_engine <name> directive allows to configure the hardware SSL accelerator for Nginx.

By default, the engine is set to handle all SSL methods:

engine = ENGINE_by_id((const char *) value[1].data);

if (engine == NULL) {
    ngx_ssl_error(NGX_LOG_WARN, cf->log, 0,
                  "ENGINE_by_id(\"%V\") failed", &value[1]);
    return NGX_CONF_ERROR;
}

if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) {
    ngx_ssl_error(NGX_LOG_WARN, cf->log, 0,
                  "ENGINE_set_default(\"%V\", ENGINE_METHOD_ALL) failed",
                  &value[1]);

    ENGINE_free(engine);

    return NGX_CONF_ERROR;
}

In our application we want to configure the SSL engine only for certain methods, but there does not seem to be a suitable method to do so with the current Nginx functionality.

ENGINE_set_default(engine, ENGINE_METHOD_RAND | ENGINE_METHOD_CIPHERS)

Users might want to only use a subset of an ssl engine functionality, for example due to security concerns, performance issues, etc; related to certain methods of the engine.

Would it makes sense to make such an enhancement to Nginx, and will upstream be ok with us submitting a patch to implement it ?

Change History (4)

comment:1 by Maxim Dounin, 4 weeks ago

If needed, particular methods can be set in OpenSSL configuration. Further, engines are deprecated in OpenSSL 3.0. Summing the above, I don't think it'll make sense.

in reply to:  1 comment:2 by melvinitcr@…, 4 weeks ago

Replying to Maxim Dounin:

If needed, particular methods can be set in OpenSSL configuration. Further, engines are deprecated in OpenSSL 3.0. Summing the above, I don't think it'll make sense.

Thanks Maxim!

Just a question, I set this configuration to the global openssl.cnf file, but it did not work.

openssl_conf = openssl_def

[openssl_def]
engines = engine_section

[engine_section]

foo = tpm_section

[tpm_section]
dynamic_path = /usr/lib/engines/libtpm.so
engine_id = tpm
#default_algorithms = ALL
default_algorithms = RAND
init = 1

Also, I tried specifiying the same on the Nginx service:

[Service]
Type=forking
Environment="OPENSSL_CONF=/etc/nginx/openssl.cnf"

And had the same results, Nginx is still using all methods from the engine.

Are these the right places to configure the engine, or I'm missing something.

Thanks in advance!

comment:3 by melvinitcr@…, 3 weeks ago

Nevermind, I managed to accomplish it by removing the ssl_engine directive from Nginx configuration:

- ssl_engine <name>

And setting the openssl configuration on the service file:

Environment="OPENSSL_CONF=/etc/nginx/openssl.cnf"

comment:4 by Maxim Dounin, 2 weeks ago

Resolution: wontfix
Status: newclosed

Glad it works for you. Closing this, as ssl_engine improvements is not something we are going to implement.

Note: See TracTickets for help on using tickets.