nghttpx: Add --curves option to specify supported elliptic curves
This commit is contained in:
Tatsuhiro Tsujikawa
parent
6b8b426342
commit
e278893b64
|
|
@ -107,7 +107,8 @@ OPTIONS = [
|
|||
"add-forwarded",
|
||||
"strip-incoming-forwarded",
|
||||
"forwarded-by",
|
||||
"forwarded-for"
|
||||
"forwarded-for",
|
||||
"curves"
|
||||
]
|
||||
|
||||
LOGVARS = [
|
||||
|
|
|
|||
12
src/shrpx.cc
12
src/shrpx.cc
|
|
@ -933,6 +933,7 @@ void fill_default_config() {
|
|||
dyn_recconf.idle_timeout = 1_s;
|
||||
|
||||
tlsconf.session_timeout = std::chrono::hours(12);
|
||||
tlsconf.curves = "P-256";
|
||||
}
|
||||
|
||||
auto &httpconf = mod_config()->http;
|
||||
|
|
@ -1437,6 +1438,12 @@ SSL/TLS:
|
|||
TLS HTTP/2 backends.
|
||||
Default: )"
|
||||
<< util::duration_str(get_config()->tls.dyn_rec.idle_timeout) << R"(
|
||||
--curves=<CURVES>
|
||||
Specify supported elliptic curves in frontend TLS
|
||||
connection. The <CURVES> must be a colon separated list
|
||||
of curves. The curve name is either NIST name (e.g.,
|
||||
"P-256") or OpenSSL OID name (e.g., "prime256v1").
|
||||
Default: )" << get_config()->tls.curves << R"(
|
||||
|
||||
HTTP/2 and SPDY:
|
||||
-c, --http2-max-concurrent-streams=<N>
|
||||
|
|
@ -2212,6 +2219,7 @@ int main(int argc, char **argv) {
|
|||
{SHRPX_OPT_STRIP_INCOMING_FORWARDED, no_argument, &flag, 98},
|
||||
{SHRPX_OPT_FORWARDED_BY, required_argument, &flag, 99},
|
||||
{SHRPX_OPT_FORWARDED_FOR, required_argument, &flag, 100},
|
||||
{SHRPX_OPT_CURVES, required_argument, &flag, 101},
|
||||
{nullptr, 0, nullptr, 0}};
|
||||
|
||||
int option_index = 0;
|
||||
|
|
@ -2641,6 +2649,10 @@ int main(int argc, char **argv) {
|
|||
// --forwarded-for
|
||||
cmdcfgs.emplace_back(SHRPX_OPT_FORWARDED_FOR, optarg);
|
||||
break;
|
||||
case 101:
|
||||
// --curves
|
||||
cmdcfgs.emplace_back(SHRPX_OPT_CURVES, optarg);
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -694,6 +694,7 @@ enum {
|
|||
SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE,
|
||||
SHRPX_OPTID_CLIENT_PROXY,
|
||||
SHRPX_OPTID_CONF,
|
||||
SHRPX_OPTID_CURVES,
|
||||
SHRPX_OPTID_DAEMON,
|
||||
SHRPX_OPTID_DH_PARAM_FILE,
|
||||
SHRPX_OPTID_ERRORLOG_FILE,
|
||||
|
|
@ -803,6 +804,11 @@ int option_lookup_token(const char *name, size_t namelen) {
|
|||
return SHRPX_OPTID_DAEMON;
|
||||
}
|
||||
break;
|
||||
case 's':
|
||||
if (util::strieq_l("curve", name, 5)) {
|
||||
return SHRPX_OPTID_CURVES;
|
||||
}
|
||||
break;
|
||||
case 't':
|
||||
if (util::strieq_l("cacer", name, 5)) {
|
||||
return SHRPX_OPTID_CACERT;
|
||||
|
|
@ -2152,6 +2158,13 @@ int parse_config(const char *opt, const char *optarg,
|
|||
|
||||
return 0;
|
||||
}
|
||||
case SHRPX_OPTID_CURVES:
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
|
||||
mod_config()->tls.curves = optarg;
|
||||
#else // OPENSSL_VERSION_NUMBER < 0x10002000L
|
||||
LOG(WARN) << opt << ": this option requires OpenSSL >= 1.0.2.";
|
||||
#endif // OPENSSL_VERSION_NUMBER < 0x10002000L
|
||||
return 0;
|
||||
case SHRPX_OPTID_CONF:
|
||||
LOG(WARN) << "conf: ignored";
|
||||
|
||||
|
|
|
|||
|
|
@ -196,6 +196,7 @@ constexpr char SHRPX_OPT_STRIP_INCOMING_FORWARDED[] =
|
|||
"strip-incoming-forwarded";
|
||||
constexpr static char SHRPX_OPT_FORWARDED_BY[] = "forwarded-by";
|
||||
constexpr char SHRPX_OPT_FORWARDED_FOR[] = "forwarded-for";
|
||||
constexpr char SHRPX_OPT_CURVES[] = "curves";
|
||||
|
||||
constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
|
||||
|
||||
|
|
@ -366,6 +367,9 @@ struct TLSConfig {
|
|||
// passed to SSL_CTX_set_options().
|
||||
long int tls_proto_mask;
|
||||
std::string backend_sni_name;
|
||||
// Supported elliptic curves, separated by colon (':'). This is
|
||||
// directly passed to OpenSSL configuration function.
|
||||
std::string curves;
|
||||
std::chrono::seconds session_timeout;
|
||||
std::unique_ptr<char[]> private_key_file;
|
||||
std::unique_ptr<char[]> private_key_passwd;
|
||||
|
|
|
|||
|
|
@ -506,13 +506,28 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file
|
|||
}
|
||||
|
||||
#ifndef OPENSSL_NO_EC
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
|
||||
auto conf_ctx = SSL_CONF_CTX_new();
|
||||
|
||||
// Disabled SSL_CTX_set_ecdh_auto, because computational cost of
|
||||
// chosen curve is much higher than P-256.
|
||||
SSL_CONF_CTX_set_flags(conf_ctx, SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_FILE);
|
||||
SSL_CONF_CTX_set_ssl_ctx(conf_ctx, ssl_ctx);
|
||||
|
||||
// #if OPENSSL_VERSION_NUMBER >= 0x10002000L
|
||||
// SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
|
||||
// #else // OPENSSL_VERSION_NUBMER < 0x10002000L
|
||||
if (!tlsconf.curves.empty()) {
|
||||
if (SSL_CONF_cmd(conf_ctx, "Curves", tlsconf.curves.c_str()) != 2) {
|
||||
LOG(FATAL) << "Setting named curves failed: "
|
||||
<< ERR_error_string(ERR_get_error(), nullptr);
|
||||
DIE();
|
||||
}
|
||||
}
|
||||
|
||||
if (SSL_CONF_CTX_finish(conf_ctx) == 0) {
|
||||
LOG(FATAL) << "Configuring SSL_CTX failed: "
|
||||
<< ERR_error_string(ERR_get_error(), nullptr);
|
||||
DIE();
|
||||
}
|
||||
|
||||
SSL_CONF_CTX_free(conf_ctx);
|
||||
#else // OPENSSL_VERSION_NUBMER < 0x10002000L
|
||||
// Use P-256, which is sufficiently secure at the time of this
|
||||
// writing.
|
||||
auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
|
||||
|
|
@ -523,7 +538,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file
|
|||
}
|
||||
SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
|
||||
EC_KEY_free(ecdh);
|
||||
// #endif // OPENSSL_VERSION_NUBMER < 0x10002000L
|
||||
#endif // OPENSSL_VERSION_NUBMER < 0x10002000L
|
||||
|
||||
#endif // OPENSSL_NO_EC
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue