nghttpx: Rename --tls-ticket-cipher as --tls-ticket-key-cipher
This commit is contained in:
parent
80d96590c5
commit
a1288a5826
|
@ -91,7 +91,7 @@ OPTIONS = [
|
||||||
"header-field-buffer",
|
"header-field-buffer",
|
||||||
"max-header-fields",
|
"max-header-fields",
|
||||||
"include",
|
"include",
|
||||||
"tls-ticket-cipher",
|
"tls-ticket-key-cipher",
|
||||||
"host-rewrite",
|
"host-rewrite",
|
||||||
"tls-session-cache-memcached",
|
"tls-session-cache-memcached",
|
||||||
"tls-ticket-key-memcached",
|
"tls-ticket-key-memcached",
|
||||||
|
|
69
src/shrpx.cc
69
src/shrpx.cc
|
@ -608,7 +608,7 @@ void graceful_shutdown_signal_cb(struct ev_loop *loop, ev_signal *w,
|
||||||
|
|
||||||
namespace {
|
namespace {
|
||||||
int generate_ticket_key(TicketKey &ticket_key) {
|
int generate_ticket_key(TicketKey &ticket_key) {
|
||||||
ticket_key.cipher = get_config()->tls_ticket_cipher;
|
ticket_key.cipher = get_config()->tls_ticket_key_cipher;
|
||||||
ticket_key.hmac = EVP_sha256();
|
ticket_key.hmac = EVP_sha256();
|
||||||
ticket_key.hmac_keylen = EVP_MD_size(ticket_key.hmac);
|
ticket_key.hmac_keylen = EVP_MD_size(ticket_key.hmac);
|
||||||
|
|
||||||
|
@ -738,11 +738,11 @@ void memcached_get_ticket_key_cb(struct ev_loop *loop, ev_timer *w,
|
||||||
size_t expectedlen;
|
size_t expectedlen;
|
||||||
size_t enc_keylen;
|
size_t enc_keylen;
|
||||||
size_t hmac_keylen;
|
size_t hmac_keylen;
|
||||||
if (get_config()->tls_ticket_cipher == EVP_aes_128_cbc()) {
|
if (get_config()->tls_ticket_key_cipher == EVP_aes_128_cbc()) {
|
||||||
expectedlen = 48;
|
expectedlen = 48;
|
||||||
enc_keylen = 16;
|
enc_keylen = 16;
|
||||||
hmac_keylen = 16;
|
hmac_keylen = 16;
|
||||||
} else if (get_config()->tls_ticket_cipher == EVP_aes_256_cbc()) {
|
} else if (get_config()->tls_ticket_key_cipher == EVP_aes_256_cbc()) {
|
||||||
expectedlen = 80;
|
expectedlen = 80;
|
||||||
enc_keylen = 32;
|
enc_keylen = 32;
|
||||||
hmac_keylen = 32;
|
hmac_keylen = 32;
|
||||||
|
@ -773,7 +773,7 @@ void memcached_get_ticket_key_cb(struct ev_loop *loop, ev_timer *w,
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
auto key = TicketKey();
|
auto key = TicketKey();
|
||||||
key.cipher = get_config()->tls_ticket_cipher;
|
key.cipher = get_config()->tls_ticket_key_cipher;
|
||||||
key.hmac = EVP_sha256();
|
key.hmac = EVP_sha256();
|
||||||
key.hmac_keylen = EVP_MD_size(key.hmac);
|
key.hmac_keylen = EVP_MD_size(key.hmac);
|
||||||
|
|
||||||
|
@ -874,18 +874,18 @@ int event_loop() {
|
||||||
} else {
|
} else {
|
||||||
bool auto_tls_ticket_key = true;
|
bool auto_tls_ticket_key = true;
|
||||||
if (!get_config()->tls_ticket_key_files.empty()) {
|
if (!get_config()->tls_ticket_key_files.empty()) {
|
||||||
if (!get_config()->tls_ticket_cipher_given) {
|
if (!get_config()->tls_ticket_key_cipher_given) {
|
||||||
LOG(WARN)
|
LOG(WARN)
|
||||||
<< "It is strongly recommended to specify "
|
<< "It is strongly recommended to specify "
|
||||||
"--tls-ticket-cipher=aes-128-cbc (or "
|
"--tls-ticket-key-cipher=aes-128-cbc (or "
|
||||||
"tls-ticket-cipher=aes-128-cbc in configuration file) "
|
"tls-ticket-key-cipher=aes-128-cbc in configuration file) "
|
||||||
"when --tls-ticket-key-file is used for the smooth "
|
"when --tls-ticket-key-file is used for the smooth "
|
||||||
"transition when the default value of --tls-ticket-cipher "
|
"transition when the default value of --tls-ticket-key-cipher "
|
||||||
"becomes aes-256-cbc";
|
"becomes aes-256-cbc";
|
||||||
}
|
}
|
||||||
auto ticket_keys = read_tls_ticket_key_file(
|
auto ticket_keys = read_tls_ticket_key_file(
|
||||||
get_config()->tls_ticket_key_files, get_config()->tls_ticket_cipher,
|
get_config()->tls_ticket_key_files,
|
||||||
EVP_sha256());
|
get_config()->tls_ticket_key_cipher, EVP_sha256());
|
||||||
if (!ticket_keys) {
|
if (!ticket_keys) {
|
||||||
LOG(WARN) << "Use internal session ticket key generator";
|
LOG(WARN) << "Use internal session ticket key generator";
|
||||||
} else {
|
} else {
|
||||||
|
@ -1142,8 +1142,8 @@ void fill_default_config() {
|
||||||
mod_config()->header_field_buffer = 64_k;
|
mod_config()->header_field_buffer = 64_k;
|
||||||
mod_config()->max_header_fields = 100;
|
mod_config()->max_header_fields = 100;
|
||||||
mod_config()->downstream_addr_group_catch_all = 0;
|
mod_config()->downstream_addr_group_catch_all = 0;
|
||||||
mod_config()->tls_ticket_cipher = EVP_aes_128_cbc();
|
mod_config()->tls_ticket_key_cipher = EVP_aes_128_cbc();
|
||||||
mod_config()->tls_ticket_cipher_given = false;
|
mod_config()->tls_ticket_key_cipher_given = false;
|
||||||
mod_config()->tls_session_timeout = std::chrono::hours(12);
|
mod_config()->tls_session_timeout = std::chrono::hours(12);
|
||||||
mod_config()->tls_ticket_key_memcached_max_retry = 3;
|
mod_config()->tls_ticket_key_memcached_max_retry = 3;
|
||||||
mod_config()->tls_ticket_key_memcached_max_fail = 2;
|
mod_config()->tls_ticket_key_memcached_max_fail = 2;
|
||||||
|
@ -1461,24 +1461,25 @@ SSL/TLS:
|
||||||
--tls-ticket-key-file=<PATH>
|
--tls-ticket-key-file=<PATH>
|
||||||
Path to file that contains random data to construct TLS
|
Path to file that contains random data to construct TLS
|
||||||
session ticket parameters. If aes-128-cbc is given in
|
session ticket parameters. If aes-128-cbc is given in
|
||||||
--tls-ticket-cipher, the file must contain exactly 48
|
--tls-ticket-key-cipher, the file must contain exactly
|
||||||
bytes. If aes-256-cbc is given in --tls-ticket-cipher,
|
48 bytes. If aes-256-cbc is given in
|
||||||
the file must contain exactly 80 bytes. This options
|
--tls-ticket-key-cipher, the file must contain exactly
|
||||||
can be used repeatedly to specify multiple ticket
|
80 bytes. This options can be used repeatedly to
|
||||||
parameters. If several files are given, only the first
|
specify multiple ticket parameters. If several files
|
||||||
key is used to encrypt TLS session tickets. Other keys
|
are given, only the first key is used to encrypt TLS
|
||||||
are accepted but server will issue new session ticket
|
session tickets. Other keys are accepted but server
|
||||||
with first key. This allows session key rotation.
|
will issue new session ticket with first key. This
|
||||||
Please note that key rotation does not occur
|
allows session key rotation. Please note that key
|
||||||
automatically. User should rearrange files or change
|
rotation does not occur automatically. User should
|
||||||
options values and restart nghttpx gracefully. If
|
rearrange files or change options values and restart
|
||||||
opening or reading given file fails, all loaded keys are
|
nghttpx gracefully. If opening or reading given file
|
||||||
discarded and it is treated as if none of this option is
|
fails, all loaded keys are discarded and it is treated
|
||||||
given. If this option is not given or an error occurred
|
as if none of this option is given. If this option is
|
||||||
while opening or reading a file, key is generated every
|
not given or an error occurred while opening or reading
|
||||||
1 hour internally and they are valid for 12 hours. This
|
a file, key is generated every 1 hour internally and
|
||||||
is recommended if ticket key sharing between nghttpx
|
they are valid for 12 hours. This is recommended if
|
||||||
instances is not required.
|
ticket key sharing between nghttpx instances is not
|
||||||
|
required.
|
||||||
--tls-ticket-key-memcached=<HOST>,<PORT>
|
--tls-ticket-key-memcached=<HOST>,<PORT>
|
||||||
Specify address of memcached server to store session
|
Specify address of memcached server to store session
|
||||||
cache. This enables shared TLS ticket key between
|
cache. This enables shared TLS ticket key between
|
||||||
|
@ -1507,7 +1508,7 @@ SSL/TLS:
|
||||||
disabling TLS ticket until next scheduled key retrieval.
|
disabling TLS ticket until next scheduled key retrieval.
|
||||||
Default: )" << get_config()->tls_ticket_key_memcached_max_fail
|
Default: )" << get_config()->tls_ticket_key_memcached_max_fail
|
||||||
<< R"(
|
<< R"(
|
||||||
--tls-ticket-cipher=<TICKET_CIPHER>
|
--tls-ticket-key-cipher=<CIPHER>
|
||||||
Specify cipher to encrypt TLS session ticket. Specify
|
Specify cipher to encrypt TLS session ticket. Specify
|
||||||
either aes-128-cbc or aes-256-cbc. By default,
|
either aes-128-cbc or aes-256-cbc. By default,
|
||||||
aes-128-cbc is used.
|
aes-128-cbc is used.
|
||||||
|
@ -1885,7 +1886,7 @@ int main(int argc, char **argv) {
|
||||||
{SHRPX_OPT_MAX_HEADER_FIELDS, required_argument, &flag, 81},
|
{SHRPX_OPT_MAX_HEADER_FIELDS, required_argument, &flag, 81},
|
||||||
{SHRPX_OPT_ADD_REQUEST_HEADER, required_argument, &flag, 82},
|
{SHRPX_OPT_ADD_REQUEST_HEADER, required_argument, &flag, 82},
|
||||||
{SHRPX_OPT_INCLUDE, required_argument, &flag, 83},
|
{SHRPX_OPT_INCLUDE, required_argument, &flag, 83},
|
||||||
{SHRPX_OPT_TLS_TICKET_CIPHER, required_argument, &flag, 84},
|
{SHRPX_OPT_TLS_TICKET_KEY_CIPHER, required_argument, &flag, 84},
|
||||||
{SHRPX_OPT_HOST_REWRITE, no_argument, &flag, 85},
|
{SHRPX_OPT_HOST_REWRITE, no_argument, &flag, 85},
|
||||||
{SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED, required_argument, &flag, 86},
|
{SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED, required_argument, &flag, 86},
|
||||||
{SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED, required_argument, &flag, 87},
|
{SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED, required_argument, &flag, 87},
|
||||||
|
@ -2262,8 +2263,8 @@ int main(int argc, char **argv) {
|
||||||
cmdcfgs.emplace_back(SHRPX_OPT_INCLUDE, optarg);
|
cmdcfgs.emplace_back(SHRPX_OPT_INCLUDE, optarg);
|
||||||
break;
|
break;
|
||||||
case 84:
|
case 84:
|
||||||
// --tls-ticket-cipher
|
// --tls-ticket-key-cipher
|
||||||
cmdcfgs.emplace_back(SHRPX_OPT_TLS_TICKET_CIPHER, optarg);
|
cmdcfgs.emplace_back(SHRPX_OPT_TLS_TICKET_KEY_CIPHER, optarg);
|
||||||
break;
|
break;
|
||||||
case 85:
|
case 85:
|
||||||
// --host-rewrite
|
// --host-rewrite
|
||||||
|
|
|
@ -704,7 +704,7 @@ enum {
|
||||||
SHRPX_OPTID_SYSLOG_FACILITY,
|
SHRPX_OPTID_SYSLOG_FACILITY,
|
||||||
SHRPX_OPTID_TLS_PROTO_LIST,
|
SHRPX_OPTID_TLS_PROTO_LIST,
|
||||||
SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED,
|
SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED,
|
||||||
SHRPX_OPTID_TLS_TICKET_CIPHER,
|
SHRPX_OPTID_TLS_TICKET_KEY_CIPHER,
|
||||||
SHRPX_OPTID_TLS_TICKET_KEY_FILE,
|
SHRPX_OPTID_TLS_TICKET_KEY_FILE,
|
||||||
SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED,
|
SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED,
|
||||||
SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_INTERVAL,
|
SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_INTERVAL,
|
||||||
|
@ -1003,11 +1003,6 @@ int option_lookup_token(const char *name, size_t namelen) {
|
||||||
return SHRPX_OPTID_WORKER_WRITE_RATE;
|
return SHRPX_OPTID_WORKER_WRITE_RATE;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case 'r':
|
|
||||||
if (util::strieq_l("tls-ticket-ciphe", name, 16)) {
|
|
||||||
return SHRPX_OPTID_TLS_TICKET_CIPHER;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
case 's':
|
case 's':
|
||||||
if (util::strieq_l("max-header-field", name, 16)) {
|
if (util::strieq_l("max-header-field", name, 16)) {
|
||||||
return SHRPX_OPTID_MAX_HEADER_FIELDS;
|
return SHRPX_OPTID_MAX_HEADER_FIELDS;
|
||||||
|
@ -1094,6 +1089,11 @@ int option_lookup_token(const char *name, size_t namelen) {
|
||||||
return SHRPX_OPTID_BACKEND_TLS_SNI_FIELD;
|
return SHRPX_OPTID_BACKEND_TLS_SNI_FIELD;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
case 'r':
|
||||||
|
if (util::strieq_l("tls-ticket-key-ciphe", name, 20)) {
|
||||||
|
return SHRPX_OPTID_TLS_TICKET_KEY_CIPHER;
|
||||||
|
}
|
||||||
|
break;
|
||||||
case 't':
|
case 't':
|
||||||
if (util::strieq_l("backend-write-timeou", name, 20)) {
|
if (util::strieq_l("backend-write-timeou", name, 20)) {
|
||||||
return SHRPX_OPTID_BACKEND_WRITE_TIMEOUT;
|
return SHRPX_OPTID_BACKEND_WRITE_TIMEOUT;
|
||||||
|
@ -1879,17 +1879,17 @@ int parse_config(const char *opt, const char *optarg,
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
case SHRPX_OPTID_TLS_TICKET_CIPHER:
|
case SHRPX_OPTID_TLS_TICKET_KEY_CIPHER:
|
||||||
if (util::strieq(optarg, "aes-128-cbc")) {
|
if (util::strieq(optarg, "aes-128-cbc")) {
|
||||||
mod_config()->tls_ticket_cipher = EVP_aes_128_cbc();
|
mod_config()->tls_ticket_key_cipher = EVP_aes_128_cbc();
|
||||||
} else if (util::strieq(optarg, "aes-256-cbc")) {
|
} else if (util::strieq(optarg, "aes-256-cbc")) {
|
||||||
mod_config()->tls_ticket_cipher = EVP_aes_256_cbc();
|
mod_config()->tls_ticket_key_cipher = EVP_aes_256_cbc();
|
||||||
} else {
|
} else {
|
||||||
LOG(ERROR) << opt
|
LOG(ERROR) << opt
|
||||||
<< ": unsupported cipher for ticket encryption: " << optarg;
|
<< ": unsupported cipher for ticket encryption: " << optarg;
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
mod_config()->tls_ticket_cipher_given = true;
|
mod_config()->tls_ticket_key_cipher_given = true;
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
case SHRPX_OPTID_HOST_REWRITE:
|
case SHRPX_OPTID_HOST_REWRITE:
|
||||||
|
|
|
@ -171,7 +171,7 @@ constexpr char SHRPX_OPT_NO_OCSP[] = "no-ocsp";
|
||||||
constexpr char SHRPX_OPT_HEADER_FIELD_BUFFER[] = "header-field-buffer";
|
constexpr char SHRPX_OPT_HEADER_FIELD_BUFFER[] = "header-field-buffer";
|
||||||
constexpr char SHRPX_OPT_MAX_HEADER_FIELDS[] = "max-header-fields";
|
constexpr char SHRPX_OPT_MAX_HEADER_FIELDS[] = "max-header-fields";
|
||||||
constexpr char SHRPX_OPT_INCLUDE[] = "include";
|
constexpr char SHRPX_OPT_INCLUDE[] = "include";
|
||||||
constexpr char SHRPX_OPT_TLS_TICKET_CIPHER[] = "tls-ticket-cipher";
|
constexpr char SHRPX_OPT_TLS_TICKET_KEY_CIPHER[] = "tls-ticket-key-cipher";
|
||||||
constexpr char SHRPX_OPT_HOST_REWRITE[] = "host-rewrite";
|
constexpr char SHRPX_OPT_HOST_REWRITE[] = "host-rewrite";
|
||||||
constexpr char SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED[] =
|
constexpr char SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED[] =
|
||||||
"tls-session-cache-memcached";
|
"tls-session-cache-memcached";
|
||||||
|
@ -320,7 +320,7 @@ struct Config {
|
||||||
nghttp2_session_callbacks *http2_downstream_callbacks;
|
nghttp2_session_callbacks *http2_downstream_callbacks;
|
||||||
nghttp2_option *http2_option;
|
nghttp2_option *http2_option;
|
||||||
nghttp2_option *http2_client_option;
|
nghttp2_option *http2_client_option;
|
||||||
const EVP_CIPHER *tls_ticket_cipher;
|
const EVP_CIPHER *tls_ticket_key_cipher;
|
||||||
const char *server_name;
|
const char *server_name;
|
||||||
char **argv;
|
char **argv;
|
||||||
char *cwd;
|
char *cwd;
|
||||||
|
@ -403,8 +403,8 @@ struct Config {
|
||||||
// true if host contains UNIX domain socket path
|
// true if host contains UNIX domain socket path
|
||||||
bool host_unix;
|
bool host_unix;
|
||||||
bool no_ocsp;
|
bool no_ocsp;
|
||||||
// true if --tls-ticket-cipher is used
|
// true if --tls-ticket-key-cipher is used
|
||||||
bool tls_ticket_cipher_given;
|
bool tls_ticket_key_cipher_given;
|
||||||
};
|
};
|
||||||
|
|
||||||
const Config *get_config();
|
const Config *get_config();
|
||||||
|
|
|
@ -338,7 +338,7 @@ int ticket_key_cb(SSL *ssl, unsigned char *key_name, unsigned char *iv,
|
||||||
|
|
||||||
std::copy(std::begin(key.data.name), std::end(key.data.name), key_name);
|
std::copy(std::begin(key.data.name), std::end(key.data.name), key_name);
|
||||||
|
|
||||||
EVP_EncryptInit_ex(ctx, get_config()->tls_ticket_cipher, nullptr,
|
EVP_EncryptInit_ex(ctx, get_config()->tls_ticket_key_cipher, nullptr,
|
||||||
key.data.enc_key.data(), iv);
|
key.data.enc_key.data(), iv);
|
||||||
HMAC_Init_ex(hctx, key.data.hmac_key.data(), key.hmac_keylen, key.hmac,
|
HMAC_Init_ex(hctx, key.data.hmac_key.data(), key.hmac_keylen, key.hmac,
|
||||||
nullptr);
|
nullptr);
|
||||||
|
|
Loading…
Reference in New Issue