Revert "nghttpx: Add --curves option to specify supported elliptic curves"
This reverts commit e278893b64.
SSL_CONF_CTX functions are not working correctly with OpenSSL 1.0.2.
It requires 1.1.0 to make it work.
This commit is contained in:
Tatsuhiro Tsujikawa
parent
7ca2660a29
commit
9ac3e643d8
|
|
@ -107,8 +107,7 @@ OPTIONS = [
|
||||||
"add-forwarded",
|
"add-forwarded",
|
||||||
"strip-incoming-forwarded",
|
"strip-incoming-forwarded",
|
||||||
"forwarded-by",
|
"forwarded-by",
|
||||||
"forwarded-for",
|
"forwarded-for"
|
||||||
"curves"
|
|
||||||
]
|
]
|
||||||
|
|
||||||
LOGVARS = [
|
LOGVARS = [
|
||||||
|
|
|
||||||
12
src/shrpx.cc
12
src/shrpx.cc
|
|
@ -933,7 +933,6 @@ void fill_default_config() {
|
||||||
dyn_recconf.idle_timeout = 1_s;
|
dyn_recconf.idle_timeout = 1_s;
|
||||||
|
|
||||||
tlsconf.session_timeout = std::chrono::hours(12);
|
tlsconf.session_timeout = std::chrono::hours(12);
|
||||||
tlsconf.curves = "P-256";
|
|
||||||
}
|
}
|
||||||
|
|
||||||
auto &httpconf = mod_config()->http;
|
auto &httpconf = mod_config()->http;
|
||||||
|
|
@ -1438,12 +1437,6 @@ SSL/TLS:
|
||||||
TLS HTTP/2 backends.
|
TLS HTTP/2 backends.
|
||||||
Default: )"
|
Default: )"
|
||||||
<< util::duration_str(get_config()->tls.dyn_rec.idle_timeout) << R"(
|
<< util::duration_str(get_config()->tls.dyn_rec.idle_timeout) << R"(
|
||||||
--curves=<CURVES>
|
|
||||||
Specify supported elliptic curves in frontend TLS
|
|
||||||
connection. The <CURVES> must be a colon separated list
|
|
||||||
of curves. The curve name is either NIST name (e.g.,
|
|
||||||
"P-256") or OpenSSL OID name (e.g., "prime256v1").
|
|
||||||
Default: )" << get_config()->tls.curves << R"(
|
|
||||||
|
|
||||||
HTTP/2 and SPDY:
|
HTTP/2 and SPDY:
|
||||||
-c, --http2-max-concurrent-streams=<N>
|
-c, --http2-max-concurrent-streams=<N>
|
||||||
|
|
@ -2219,7 +2212,6 @@ int main(int argc, char **argv) {
|
||||||
{SHRPX_OPT_STRIP_INCOMING_FORWARDED, no_argument, &flag, 98},
|
{SHRPX_OPT_STRIP_INCOMING_FORWARDED, no_argument, &flag, 98},
|
||||||
{SHRPX_OPT_FORWARDED_BY, required_argument, &flag, 99},
|
{SHRPX_OPT_FORWARDED_BY, required_argument, &flag, 99},
|
||||||
{SHRPX_OPT_FORWARDED_FOR, required_argument, &flag, 100},
|
{SHRPX_OPT_FORWARDED_FOR, required_argument, &flag, 100},
|
||||||
{SHRPX_OPT_CURVES, required_argument, &flag, 101},
|
|
||||||
{nullptr, 0, nullptr, 0}};
|
{nullptr, 0, nullptr, 0}};
|
||||||
|
|
||||||
int option_index = 0;
|
int option_index = 0;
|
||||||
|
|
@ -2649,10 +2641,6 @@ int main(int argc, char **argv) {
|
||||||
// --forwarded-for
|
// --forwarded-for
|
||||||
cmdcfgs.emplace_back(SHRPX_OPT_FORWARDED_FOR, optarg);
|
cmdcfgs.emplace_back(SHRPX_OPT_FORWARDED_FOR, optarg);
|
||||||
break;
|
break;
|
||||||
case 101:
|
|
||||||
// --curves
|
|
||||||
cmdcfgs.emplace_back(SHRPX_OPT_CURVES, optarg);
|
|
||||||
break;
|
|
||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -694,7 +694,6 @@ enum {
|
||||||
SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE,
|
SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE,
|
||||||
SHRPX_OPTID_CLIENT_PROXY,
|
SHRPX_OPTID_CLIENT_PROXY,
|
||||||
SHRPX_OPTID_CONF,
|
SHRPX_OPTID_CONF,
|
||||||
SHRPX_OPTID_CURVES,
|
|
||||||
SHRPX_OPTID_DAEMON,
|
SHRPX_OPTID_DAEMON,
|
||||||
SHRPX_OPTID_DH_PARAM_FILE,
|
SHRPX_OPTID_DH_PARAM_FILE,
|
||||||
SHRPX_OPTID_ERRORLOG_FILE,
|
SHRPX_OPTID_ERRORLOG_FILE,
|
||||||
|
|
@ -804,11 +803,6 @@ int option_lookup_token(const char *name, size_t namelen) {
|
||||||
return SHRPX_OPTID_DAEMON;
|
return SHRPX_OPTID_DAEMON;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case 's':
|
|
||||||
if (util::strieq_l("curve", name, 5)) {
|
|
||||||
return SHRPX_OPTID_CURVES;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
case 't':
|
case 't':
|
||||||
if (util::strieq_l("cacer", name, 5)) {
|
if (util::strieq_l("cacer", name, 5)) {
|
||||||
return SHRPX_OPTID_CACERT;
|
return SHRPX_OPTID_CACERT;
|
||||||
|
|
@ -2158,13 +2152,6 @@ int parse_config(const char *opt, const char *optarg,
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
case SHRPX_OPTID_CURVES:
|
|
||||||
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
|
|
||||||
mod_config()->tls.curves = optarg;
|
|
||||||
#else // OPENSSL_VERSION_NUMBER < 0x10002000L
|
|
||||||
LOG(WARN) << opt << ": this option requires OpenSSL >= 1.0.2.";
|
|
||||||
#endif // OPENSSL_VERSION_NUMBER < 0x10002000L
|
|
||||||
return 0;
|
|
||||||
case SHRPX_OPTID_CONF:
|
case SHRPX_OPTID_CONF:
|
||||||
LOG(WARN) << "conf: ignored";
|
LOG(WARN) << "conf: ignored";
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -196,7 +196,6 @@ constexpr char SHRPX_OPT_STRIP_INCOMING_FORWARDED[] =
|
||||||
"strip-incoming-forwarded";
|
"strip-incoming-forwarded";
|
||||||
constexpr static char SHRPX_OPT_FORWARDED_BY[] = "forwarded-by";
|
constexpr static char SHRPX_OPT_FORWARDED_BY[] = "forwarded-by";
|
||||||
constexpr char SHRPX_OPT_FORWARDED_FOR[] = "forwarded-for";
|
constexpr char SHRPX_OPT_FORWARDED_FOR[] = "forwarded-for";
|
||||||
constexpr char SHRPX_OPT_CURVES[] = "curves";
|
|
||||||
|
|
||||||
constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
|
constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
|
||||||
|
|
||||||
|
|
@ -367,9 +366,6 @@ struct TLSConfig {
|
||||||
// passed to SSL_CTX_set_options().
|
// passed to SSL_CTX_set_options().
|
||||||
long int tls_proto_mask;
|
long int tls_proto_mask;
|
||||||
std::string backend_sni_name;
|
std::string backend_sni_name;
|
||||||
// Supported elliptic curves, separated by colon (':'). This is
|
|
||||||
// directly passed to OpenSSL configuration function.
|
|
||||||
std::string curves;
|
|
||||||
std::chrono::seconds session_timeout;
|
std::chrono::seconds session_timeout;
|
||||||
std::unique_ptr<char[]> private_key_file;
|
std::unique_ptr<char[]> private_key_file;
|
||||||
std::unique_ptr<char[]> private_key_passwd;
|
std::unique_ptr<char[]> private_key_passwd;
|
||||||
|
|
|
||||||
|
|
@ -506,28 +506,13 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_EC
|
#ifndef OPENSSL_NO_EC
|
||||||
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
|
|
||||||
auto conf_ctx = SSL_CONF_CTX_new();
|
|
||||||
|
|
||||||
SSL_CONF_CTX_set_flags(conf_ctx, SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_FILE);
|
// Disabled SSL_CTX_set_ecdh_auto, because computational cost of
|
||||||
SSL_CONF_CTX_set_ssl_ctx(conf_ctx, ssl_ctx);
|
// chosen curve is much higher than P-256.
|
||||||
|
|
||||||
if (!tlsconf.curves.empty()) {
|
// #if OPENSSL_VERSION_NUMBER >= 0x10002000L
|
||||||
if (SSL_CONF_cmd(conf_ctx, "Curves", tlsconf.curves.c_str()) != 2) {
|
// SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
|
||||||
LOG(FATAL) << "Setting named curves failed: "
|
// #else // OPENSSL_VERSION_NUBMER < 0x10002000L
|
||||||
<< ERR_error_string(ERR_get_error(), nullptr);
|
|
||||||
DIE();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (SSL_CONF_CTX_finish(conf_ctx) == 0) {
|
|
||||||
LOG(FATAL) << "Configuring SSL_CTX failed: "
|
|
||||||
<< ERR_error_string(ERR_get_error(), nullptr);
|
|
||||||
DIE();
|
|
||||||
}
|
|
||||||
|
|
||||||
SSL_CONF_CTX_free(conf_ctx);
|
|
||||||
#else // OPENSSL_VERSION_NUBMER < 0x10002000L
|
|
||||||
// Use P-256, which is sufficiently secure at the time of this
|
// Use P-256, which is sufficiently secure at the time of this
|
||||||
// writing.
|
// writing.
|
||||||
auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
|
auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
|
||||||
|
|
@ -538,7 +523,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file
|
||||||
}
|
}
|
||||||
SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
|
SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
|
||||||
EC_KEY_free(ecdh);
|
EC_KEY_free(ecdh);
|
||||||
#endif // OPENSSL_VERSION_NUBMER < 0x10002000L
|
// #endif // OPENSSL_VERSION_NUBMER < 0x10002000L
|
||||||
|
|
||||||
#endif // OPENSSL_NO_EC
|
#endif // OPENSSL_NO_EC
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue