WolfSSL
/
wolfssl-nginx
mirror of https://github.com/wolfSSL/wolfssl-nginx.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Update for Nginx 1.13.2 support in wolfSSL

pull/2/head
Sean Parkinson 2017-07-03 18:34:36 +10:00
parent 4c03ea76a7
commit 795e3c9f68
5 changed files with 249 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -7,6 +7,7 @@ and recompilation is required.
The tested versions:
- wolfSSL 3.11
- Nginx 1.13.2
- Nginx 1.12.0
- Nginx 1.11.13
- Nginx 1.11.10
@ -42,9 +43,8 @@ There will be skips of SSL tests for the following reasons:
- no multiple certificates (ssl_certificate.t)
- many not work, leaves coredump (ssl_engine_keys.t)
-There will be failures of SSL tests for the following reasons:
- - no support for setting verification depth
- - no support for certificate authorities in certificate request ("no trusted sent")
No failure of SSL tests are expected.
Note: the file ssl_ecc.t in wolfssl-nginx can be used with the Nginx test
system.

19
conf/nginx.conf
View File

@ -99,6 +99,25 @@ http {
index index.html;
}
}
# Using TLS v1.3
server {
listen 11447 ssl;
server_name localhost;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html;
}
}
# Session ticket
server {

15
nginx-1.13.2-wolfssl-debug.patch 100644
View File

@ -0,0 +1,15 @@
diff -ur nginx-1.13.2-wolfssl/src/event/ngx_event_openssl.c nginx-1.13.2-wolfssl-debug/src/event/ngx_event_openssl.c
--- nginx-1.13.2-wolfssl/src/event/ngx_event_openssl.c 2017-06-29 10:18:05.421755825 +1000
+++ nginx-1.13.2-wolfssl-debug/src/event/ngx_event_openssl.c 2017-06-29 10:46:26.172278923 +1000
@@ -144,6 +144,11 @@
#endif
+#ifdef WOLFSSL_NGINX
+ /* Turn on internal wolfssl debugging to stdout */
+ wolfSSL_Debugging_ON();
+#endif
+
#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
#ifndef SSL_OP_NO_COMPRESSION
{

197
nginx-1.13.2-wolfssl.patch 100644
View File

@ -0,0 +1,197 @@
diff -ur nginx-1.13.2/auto/lib/openssl/conf nginx-1.13.2-wolfssl/auto/lib/openssl/conf
--- nginx-1.13.2/auto/lib/openssl/conf 2017-06-28 00:44:19.000000000 +1000
+++ nginx-1.13.2-wolfssl/auto/lib/openssl/conf 2017-06-29 10:18:05.421755825 +1000
@@ -61,8 +61,33 @@
ngx_feature_path=
ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL"
ngx_feature_test="SSL_CTX_set_options(NULL, 0)"
+
+ if [ $WOLFSSL != NONE ]; then
+ ngx_feature="wolfSSL library in $WOLFSSL"
+ ngx_feature_path="$WOLFSSL/include/wolfssl"
+
+ if [ $NGX_RPATH = YES ]; then
+ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
+ else
+ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
+ fi
+
+ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl"
+ CFLAGS="$CFLAGS -DWOLFSSL_NGINX"
+ fi
+
. auto/feature
+ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then
+cat << END
+
+$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl.
+SSL modules require the wolfSSL library.
+
+END
+ exit 1
+ fi
+
if [ $ngx_found = no ]; then
# FreeBSD port
diff -ur nginx-1.13.2/auto/options nginx-1.13.2-wolfssl/auto/options
--- nginx-1.13.2/auto/options 2017-06-28 00:44:19.000000000 +1000
+++ nginx-1.13.2-wolfssl/auto/options 2017-06-29 10:18:05.421755825 +1000
@@ -143,6 +143,7 @@
USE_OPENSSL=NO
OPENSSL=NONE
+WOLFSSL=NONE
USE_ZLIB=NO
ZLIB=NONE
@@ -345,6 +346,7 @@
--with-pcre-opt=*) PCRE_OPT="$value" ;;
--with-pcre-jit) PCRE_JIT=YES ;;
+ --with-wolfssl=*) WOLFSSL="$value" ;;
--with-openssl=*) OPENSSL="$value" ;;
--with-openssl-opt=*) OPENSSL_OPT="$value" ;;
@@ -563,6 +565,7 @@
--with-libatomic force libatomic_ops library usage
--with-libatomic=DIR set path to libatomic_ops library sources
+ --with-wolfssl=DIR set path to wolfSSL headers and library
--with-openssl=DIR set path to OpenSSL library sources
--with-openssl-opt=OPTIONS set additional build options for OpenSSL
diff -ur nginx-1.13.2/src/event/ngx_event_openssl.c nginx-1.13.2-wolfssl/src/event/ngx_event_openssl.c
--- nginx-1.13.2/src/event/ngx_event_openssl.c 2017-06-28 00:44:20.000000000 +1000
+++ nginx-1.13.2-wolfssl/src/event/ngx_event_openssl.c 2017-06-29 10:18:05.421755825 +1000
@@ -346,6 +346,10 @@
SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
+#ifdef WOLFSSL_NGINX
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL);
+#endif
+
return NGX_OK;
}
@@ -654,6 +658,14 @@
ngx_int_t
+ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl)
+{
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback);
+
+ return NGX_OK;
+}
+
+ngx_int_t
ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
ngx_int_t depth)
{
Only in nginx-1.13.2-wolfssl/src/event: .ngx_event_openssl.c.swp
diff -ur nginx-1.13.2/src/event/ngx_event_openssl.h nginx-1.13.2-wolfssl/src/event/ngx_event_openssl.h
--- nginx-1.13.2/src/event/ngx_event_openssl.h 2017-06-28 00:44:20.000000000 +1000
+++ nginx-1.13.2-wolfssl/src/event/ngx_event_openssl.h 2017-06-29 10:33:37.484896533 +1000
@@ -54,7 +54,7 @@
#define ngx_ssl_conn_t SSL
-#if (OPENSSL_VERSION_NUMBER < 0x10002000L)
+#if (OPENSSL_VERSION_NUMBER < 0x10002000L) && !defined(WOLFSSL_NGINX)
#define SSL_is_server(s) (s)->server
#endif
@@ -153,6 +153,7 @@
ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords);
ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
ngx_uint_t prefer_server_ciphers);
+ngx_int_t ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl);
ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_int_t depth);
ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
diff -ur nginx-1.13.2/src/event/ngx_event_openssl_stapling.c nginx-1.13.2-wolfssl/src/event/ngx_event_openssl_stapling.c
--- nginx-1.13.2/src/event/ngx_event_openssl_stapling.c 2017-06-28 00:44:20.000000000 +1000
+++ nginx-1.13.2-wolfssl/src/event/ngx_event_openssl_stapling.c 2017-06-29 10:18:05.421755825 +1000
@@ -313,7 +313,9 @@
for (i = 0; i < n; i++) {
issuer = sk_X509_value(chain, i);
if (X509_check_issued(issuer, cert) == X509_V_OK) {
-#if OPENSSL_VERSION_NUMBER >= 0x10100001L
+#ifdef WOLFSSL_NGINX
+ issuer = X509_dup(issuer);
+#elif OPENSSL_VERSION_NUMBER >= 0x10100001L
X509_up_ref(issuer);
#else
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
diff -ur nginx-1.13.2/src/http/modules/ngx_http_proxy_module.c nginx-1.13.2-wolfssl/src/http/modules/ngx_http_proxy_module.c
--- nginx-1.13.2/src/http/modules/ngx_http_proxy_module.c 2017-06-28 00:44:20.000000000 +1000
+++ nginx-1.13.2-wolfssl/src/http/modules/ngx_http_proxy_module.c 2017-06-29 10:18:05.421755825 +1000
@@ -4373,6 +4373,8 @@
return NGX_ERROR;
}
+ ngx_ssl_set_verify_on(cf, plcf->upstream.ssl);
+
if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl,
&plcf->ssl_trusted_certificate,
plcf->ssl_verify_depth)
diff -ur nginx-1.13.2/src/http/modules/ngx_http_ssl_module.c nginx-1.13.2-wolfssl/src/http/modules/ngx_http_ssl_module.c
--- nginx-1.13.2/src/http/modules/ngx_http_ssl_module.c 2017-06-28 00:44:20.000000000 +1000
+++ nginx-1.13.2-wolfssl/src/http/modules/ngx_http_ssl_module.c 2017-06-29 10:18:05.421755825 +1000
@@ -14,7 +14,11 @@
ngx_pool_t *pool, ngx_str_t *s);
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"
#define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1"
diff -ur nginx-1.13.2/src/mail/ngx_mail_ssl_module.c nginx-1.13.2-wolfssl/src/mail/ngx_mail_ssl_module.c
--- nginx-1.13.2/src/mail/ngx_mail_ssl_module.c 2017-06-28 00:44:21.000000000 +1000
+++ nginx-1.13.2-wolfssl/src/mail/ngx_mail_ssl_module.c 2017-06-29 10:18:05.421755825 +1000
@@ -10,7 +10,11 @@
#include <ngx_mail.h>
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"
diff -ur nginx-1.13.2/src/stream/ngx_stream_proxy_module.c nginx-1.13.2-wolfssl/src/stream/ngx_stream_proxy_module.c
--- nginx-1.13.2/src/stream/ngx_stream_proxy_module.c 2017-06-28 00:44:22.000000000 +1000
+++ nginx-1.13.2-wolfssl/src/stream/ngx_stream_proxy_module.c 2017-06-29 10:18:05.421755825 +1000
@@ -1989,6 +1989,8 @@
return NGX_ERROR;
}
+ ngx_ssl_set_verify_on(cf, pscf->ssl);
+
if (ngx_ssl_trusted_certificate(cf, pscf->ssl,
&pscf->ssl_trusted_certificate,
pscf->ssl_verify_depth)
diff -ur nginx-1.13.2/src/stream/ngx_stream_ssl_module.c nginx-1.13.2-wolfssl/src/stream/ngx_stream_ssl_module.c
--- nginx-1.13.2/src/stream/ngx_stream_ssl_module.c 2017-06-28 00:44:22.000000000 +1000
+++ nginx-1.13.2-wolfssl/src/stream/ngx_stream_ssl_module.c 2017-06-29 10:18:05.421755825 +1000
@@ -14,7 +14,11 @@
ngx_pool_t *pool, ngx_str_t *s);
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"

18
test.sh
View File

@ -9,7 +9,7 @@ if [ "$WOLFSSL_SOURCE" = "" ]; then
fi
WOLFSSL_CLIENT="./examples/client/client"
WOLFSSL_OCSP_CERTS="${WOLFSSL_SOURCE}/certs/ocsp"
NGINX_CONF="./conf"
NGINX_CONF="./conf/nginx.conf"
CLIENT_TMP="/tmp/nginx_client.$$"
SERVER_TMP="/tmp/nginx_server.$$"
OCSP_GOOD="ocsp-good-status.der"
@ -80,9 +80,11 @@ UNKNOWN=0
run_nginx() {
# valgrind --leak-check=full
echo ${NGINX_BIN} -p ${WN_PATH} \
-c $NGINX_CONF \
-g "error_log ${WN_ERROR_LOG} debug;" \
${NGINX_OPTS}
${NGINX_BIN} -p ${WN_PATH} \
-c $NGINX_CONF \
-g "error_log ${WN_ERROR_LOG} debug;" \
${NGINX_OPTS}
RES=$?
@ -155,11 +157,11 @@ client() {
check_log
}
client_test() {
OPTS="$OPTS -r -g"
OPTS="$OPTS -r"
client
}
stapling_test() {
OPTS="$OPTS -g -C -A ${WOLFSSL_OCSP_CERTS}/root-ca-cert.pem -W 1"
OPTS="$OPTS -C -A ${WOLFSSL_OCSP_CERTS}/root-ca-cert.pem -W 1"
client
}
@ -236,6 +238,16 @@ echo "# Port: $PORT"
OPTS=
EXPECT=("SECP256R1" "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK")
client_test
# TLS v1.3
echo
echo '#'
echo '# TLS v1.3 client connecting to nginx server'
echo '#'
PORT=11447
echo "# Port: $PORT"
OPTS="-v 4"
EXPECT=("SECP256R1" "TLS_AES_128_GCM_SHA256" "HTTP/1.1 200 OK")
client_test
# Session tickets file
echo
echo '#'