id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 2271 Allow to specify the ssl engine methods using a directive melvinitcr@… "Currently, the ssl_engine directive allows to configure the hardware SSL accelerator for Nginx. By default, the engine is set to handle all SSL methods: {{{ engine = ENGINE_by_id((const char *) value[1].data); if (engine == NULL) { ngx_ssl_error(NGX_LOG_WARN, cf->log, 0, ""ENGINE_by_id(\""%V\"") failed"", &value[1]); return NGX_CONF_ERROR; } if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) { ngx_ssl_error(NGX_LOG_WARN, cf->log, 0, ""ENGINE_set_default(\""%V\"", ENGINE_METHOD_ALL) failed"", &value[1]); ENGINE_free(engine); return NGX_CONF_ERROR; } }}} In our application we want to configure the SSL engine only for certain methods, but there does not seem to be a suitable method to do so with the current Nginx functionality. {{{ ENGINE_set_default(engine, ENGINE_METHOD_RAND | ENGINE_METHOD_CIPHERS) }}} Users might want to only use a subset of an ssl engine functionality, for example due to security concerns, performance issues, etc; related to certain methods of the engine. Would it makes sense to make such an enhancement to Nginx, and will upstream be ok with us submitting a patch to implement it ? " enhancement closed major nginx-module 1.10.x wontfix SSL, Engine, Method Linux 4.4.0-210-generic #242-Ubuntu SMP Fri Apr 16 09:57:56 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux "nginx version: nginx/1.10.3 built with OpenSSL 1.0.2zb-fips 23 Sep 2021 TLS SNI support enabled configure arguments: --crossbuild=Linux:x86_64 --with-endian=little --with-int=4 --with-long=8 --with-long-long=8 --with-ptr-size=8 --with-sig-atomic-t=8 --with-size-t=8 --with-off-t=8 --with-time-t=8 --with-sys-nerr=132 --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --prefix=/usr --with-http_auth_request_module --with-http_ssl_module --with-ipv6 --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module "