Revert "nghttpx: Add --curves option to specify supported elliptic curves"

This reverts commit e278893b64.

SSL_CONF_CTX functions are not working correctly with OpenSSL 1.0.2.
It requires 1.1.0 to make it work.
This commit is contained in:
Tatsuhiro Tsujikawa 2016-01-21 19:50:38 +09:00
parent 7ca2660a29
commit 9ac3e643d8
5 changed files with 7 additions and 52 deletions

View File

@ -107,8 +107,7 @@ OPTIONS = [
"add-forwarded", "add-forwarded",
"strip-incoming-forwarded", "strip-incoming-forwarded",
"forwarded-by", "forwarded-by",
"forwarded-for", "forwarded-for"
"curves"
] ]
LOGVARS = [ LOGVARS = [

View File

@ -933,7 +933,6 @@ void fill_default_config() {
dyn_recconf.idle_timeout = 1_s; dyn_recconf.idle_timeout = 1_s;
tlsconf.session_timeout = std::chrono::hours(12); tlsconf.session_timeout = std::chrono::hours(12);
tlsconf.curves = "P-256";
} }
auto &httpconf = mod_config()->http; auto &httpconf = mod_config()->http;
@ -1438,12 +1437,6 @@ SSL/TLS:
TLS HTTP/2 backends. TLS HTTP/2 backends.
Default: )" Default: )"
<< util::duration_str(get_config()->tls.dyn_rec.idle_timeout) << R"( << util::duration_str(get_config()->tls.dyn_rec.idle_timeout) << R"(
--curves=<CURVES>
Specify supported elliptic curves in frontend TLS
connection. The <CURVES> must be a colon separated list
of curves. The curve name is either NIST name (e.g.,
"P-256") or OpenSSL OID name (e.g., "prime256v1").
Default: )" << get_config()->tls.curves << R"(
HTTP/2 and SPDY: HTTP/2 and SPDY:
-c, --http2-max-concurrent-streams=<N> -c, --http2-max-concurrent-streams=<N>
@ -2219,7 +2212,6 @@ int main(int argc, char **argv) {
{SHRPX_OPT_STRIP_INCOMING_FORWARDED, no_argument, &flag, 98}, {SHRPX_OPT_STRIP_INCOMING_FORWARDED, no_argument, &flag, 98},
{SHRPX_OPT_FORWARDED_BY, required_argument, &flag, 99}, {SHRPX_OPT_FORWARDED_BY, required_argument, &flag, 99},
{SHRPX_OPT_FORWARDED_FOR, required_argument, &flag, 100}, {SHRPX_OPT_FORWARDED_FOR, required_argument, &flag, 100},
{SHRPX_OPT_CURVES, required_argument, &flag, 101},
{nullptr, 0, nullptr, 0}}; {nullptr, 0, nullptr, 0}};
int option_index = 0; int option_index = 0;
@ -2649,10 +2641,6 @@ int main(int argc, char **argv) {
// --forwarded-for // --forwarded-for
cmdcfgs.emplace_back(SHRPX_OPT_FORWARDED_FOR, optarg); cmdcfgs.emplace_back(SHRPX_OPT_FORWARDED_FOR, optarg);
break; break;
case 101:
// --curves
cmdcfgs.emplace_back(SHRPX_OPT_CURVES, optarg);
break;
default: default:
break; break;
} }

View File

@ -694,7 +694,6 @@ enum {
SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE, SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE,
SHRPX_OPTID_CLIENT_PROXY, SHRPX_OPTID_CLIENT_PROXY,
SHRPX_OPTID_CONF, SHRPX_OPTID_CONF,
SHRPX_OPTID_CURVES,
SHRPX_OPTID_DAEMON, SHRPX_OPTID_DAEMON,
SHRPX_OPTID_DH_PARAM_FILE, SHRPX_OPTID_DH_PARAM_FILE,
SHRPX_OPTID_ERRORLOG_FILE, SHRPX_OPTID_ERRORLOG_FILE,
@ -804,11 +803,6 @@ int option_lookup_token(const char *name, size_t namelen) {
return SHRPX_OPTID_DAEMON; return SHRPX_OPTID_DAEMON;
} }
break; break;
case 's':
if (util::strieq_l("curve", name, 5)) {
return SHRPX_OPTID_CURVES;
}
break;
case 't': case 't':
if (util::strieq_l("cacer", name, 5)) { if (util::strieq_l("cacer", name, 5)) {
return SHRPX_OPTID_CACERT; return SHRPX_OPTID_CACERT;
@ -2158,13 +2152,6 @@ int parse_config(const char *opt, const char *optarg,
return 0; return 0;
} }
case SHRPX_OPTID_CURVES:
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
mod_config()->tls.curves = optarg;
#else // OPENSSL_VERSION_NUMBER < 0x10002000L
LOG(WARN) << opt << ": this option requires OpenSSL >= 1.0.2.";
#endif // OPENSSL_VERSION_NUMBER < 0x10002000L
return 0;
case SHRPX_OPTID_CONF: case SHRPX_OPTID_CONF:
LOG(WARN) << "conf: ignored"; LOG(WARN) << "conf: ignored";

View File

@ -196,7 +196,6 @@ constexpr char SHRPX_OPT_STRIP_INCOMING_FORWARDED[] =
"strip-incoming-forwarded"; "strip-incoming-forwarded";
constexpr static char SHRPX_OPT_FORWARDED_BY[] = "forwarded-by"; constexpr static char SHRPX_OPT_FORWARDED_BY[] = "forwarded-by";
constexpr char SHRPX_OPT_FORWARDED_FOR[] = "forwarded-for"; constexpr char SHRPX_OPT_FORWARDED_FOR[] = "forwarded-for";
constexpr char SHRPX_OPT_CURVES[] = "curves";
constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8; constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
@ -367,9 +366,6 @@ struct TLSConfig {
// passed to SSL_CTX_set_options(). // passed to SSL_CTX_set_options().
long int tls_proto_mask; long int tls_proto_mask;
std::string backend_sni_name; std::string backend_sni_name;
// Supported elliptic curves, separated by colon (':'). This is
// directly passed to OpenSSL configuration function.
std::string curves;
std::chrono::seconds session_timeout; std::chrono::seconds session_timeout;
std::unique_ptr<char[]> private_key_file; std::unique_ptr<char[]> private_key_file;
std::unique_ptr<char[]> private_key_passwd; std::unique_ptr<char[]> private_key_passwd;

View File

@ -506,28 +506,13 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file
} }
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
auto conf_ctx = SSL_CONF_CTX_new();
SSL_CONF_CTX_set_flags(conf_ctx, SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_FILE); // Disabled SSL_CTX_set_ecdh_auto, because computational cost of
SSL_CONF_CTX_set_ssl_ctx(conf_ctx, ssl_ctx); // chosen curve is much higher than P-256.
if (!tlsconf.curves.empty()) { // #if OPENSSL_VERSION_NUMBER >= 0x10002000L
if (SSL_CONF_cmd(conf_ctx, "Curves", tlsconf.curves.c_str()) != 2) { // SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
LOG(FATAL) << "Setting named curves failed: " // #else // OPENSSL_VERSION_NUBMER < 0x10002000L
<< ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
}
if (SSL_CONF_CTX_finish(conf_ctx) == 0) {
LOG(FATAL) << "Configuring SSL_CTX failed: "
<< ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
SSL_CONF_CTX_free(conf_ctx);
#else // OPENSSL_VERSION_NUBMER < 0x10002000L
// Use P-256, which is sufficiently secure at the time of this // Use P-256, which is sufficiently secure at the time of this
// writing. // writing.
auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
@ -538,7 +523,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file
} }
SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh); SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
EC_KEY_free(ecdh); EC_KEY_free(ecdh);
#endif // OPENSSL_VERSION_NUBMER < 0x10002000L // #endif // OPENSSL_VERSION_NUBMER < 0x10002000L
#endif // OPENSSL_NO_EC #endif // OPENSSL_NO_EC