RE: PSK Support
Maxim, The biggest downside that I can see to the dummy certificate approach is documentation. Using a dummy certificate wasn't immediately obvious to me, though perhaps my familiarity with OpenSSL's "nocert" option may have affected that. Which do you think would be easier for the user to find in the documentation: 1) a description of the dummy certificate approach under the "ssl_certificate" directive, 2) a separate directive ("ssl_nocert"), or 3) an explicit option to the "ssl_certificate" directive (e.g., " Syntax: ssl_certificate file | off;")? I'm OK with changing it to read from a password file (formatted in a manner similar to stunnel) that is searched as needed (an "ssl_psk_file" directive). Would it be OK to support multiple files and stipulate that files are searched in the order that they are included in nginx.conf? Can we support both ASCII and binary PSKs? RFC 4279 section 5.4 seems to require both types, and I need binary keys for my application :). Maybe a parameter to the "ssl_psk_file" directive could indicate how the PSKs are stored in the file? Thanks, Nate -Original Message- From: nginx-devel [mailto:nginx-devel-boun...@nginx.org] On Behalf Of Maxim Dounin Sent: Monday, June 05, 2017 1:40 PM To: nginx-devel@nginx.org Subject: Re: PSK Support Hello! On Mon, Jun 05, 2017 at 02:08:15PM +, Karstens, Nate wrote: > Maxim, > > Thanks for the reply. I understand your concerns about PSK. We > discussed it quite a bit, but ultimately decided that a PKI was not > practical for our environment. We have to rely on the end user to > configure security and any solution using PKI would be so difficult to > work with that they just wouldn't bother with security at all. Ok, understood. I think that PSK can be a reasonable alternative to using plain http in many cases. > I considered some alternatives on the "ssl_nocert" option. My > preference would have been to analyze the supported cipher suites > (from "ssl_ciphers") and determine if any include a PSK, but it does > not look like OpenSSL exposes APIs to accomplish this. By default, nginx uses "HIGH:!aNULL:!MD5" as ciphers list, and this includes various PSK ciphers as well, so this approach doesn't look working even if there were appropriate APIs. > Using a dummy certificate seemed more complicated than the other two > suggestions you had (using "ssl_certificate" with a value of "off" or > disabling the tests if there are PSK secrets), so I'd prefer one of > those two. What is your preference? Using a dummy certificate has an obvious benefit of not requiring any changes to the code, and might actually be a good starting option. Disabling the tests with PSK secrets might not work as expected when they are defined at the http{} level. Using "ssl_certificate off" is obviously most explicit of all options, but I would rather consider a dummy certificate instead for now, as long as there are no other downsides. > One advantage of the PSK path concept is that it provides a lot of > flexibility. It allows, for example, multiple applications to each > independently manage their own PSKs without the need to coordinate > changes to a single file (note that in this scenario each application > would want to use $ssl_psk_identity to check the key). On the one hand, it is a plus. On the other - it is a nightmare when something goes wrong. I would rather avoid such approach. > stunnel uses a single file and seems to assume that keys will be ASCII > strings. Its format, for example, would not allow NUL to appear in the > string, as that would terminate the key early and, at best, lead to a > reduced key size. Yes, and stunnel author considers this to be a feature, see https://www.stunnel.org/pipermail/stunnel-users/2015-October/005275.html. If you are targeting end-users, it might be actually easier to use sufficiently long printable keys then arbitrary binary strings. > I might be mistaken, but wouldn't changing a certificate also require > reloading the configuration? Do you have some ideas on how this could > be done without requiring a reload? Yes, changing a certificate requires a reload. But the "path" concept is generally used in SSL where appropriate filesystem lookups are done on the fly, in contrast to loading a file into memory and then working with the data from memory. Consider "openssl verify -CApath" vs. "openssl verify -CAfile". Additionally, PSK keys look much more dynamic than certificates, as adding a user requires configuration changes. With PKI, you don't need any certificate changes on the server to add a user. With PSK, you have to add a key to introduce a new user. Overall, PSK seems to be very close to basic authentication, and it might worth looking how it is implemented in the auth_basic module (in short: the password file is searched on each request). -- Maxim Dounin http://nginx.org/ ___ nginx-devel mailing list
Re: [PATCH] Use .exe for binaries for all win32 compilers
Hello! On Tue, Jun 06, 2017 at 05:54:01PM +0300, Orgad Shaneh wrote: > > http://mailman.nginx.org/pipermail/nginx-devel/2016-December/009234.html > > Thanks. It is needed with MSYS2 / gcc. Proposing a new patch: > > --- > auto/cc/bcc | 1 - > auto/cc/conf | 7 ++- > auto/cc/msvc | 1 - > auto/cc/owc | 1 - > 4 files changed, 6 insertions(+), 4 deletions(-) > > diff --git a/auto/cc/bcc b/auto/cc/bcc > index ec82e60f..e990a9f7 100644 > --- a/auto/cc/bcc > +++ b/auto/cc/bcc > @@ -62,7 +62,6 @@ ngx_include_opt="-I" > ngx_objout="-o" > ngx_binout="-e" > ngx_objext="obj" > -ngx_binext=".exe" > > ngx_long_start='@&&| > ' > diff --git a/auto/cc/conf b/auto/cc/conf > index afbca62b..7e1186b5 100644 > --- a/auto/cc/conf > +++ b/auto/cc/conf > @@ -14,9 +14,14 @@ ngx_pic_opt="-fPIC" > ngx_objout="-o " > ngx_binout="-o " > ngx_objext="o" > -ngx_binext= > ngx_modext=".so" > > +if [ "$NGX_PLATFORM" = win32 ]; then > +ngx_binext=".exe" > +else > +ngx_binext= > +fi > + > ngx_long_start= > ngx_long_end= > Looking more at this I tend to think that a better place would be to redefine it in auto/os/win32, like this: diff --git a/auto/os/win32 b/auto/os/win32 --- a/auto/os/win32 +++ b/auto/os/win32 @@ -13,6 +13,7 @@ NGX_ICONS="$NGX_WIN32_ICONS" SELECT_SRCS=$WIN32_SELECT_SRCS ngx_pic_opt= +ngx_binext=".exe" case "$NGX_CC_NAME" in Full patch modified accordingly provided below. Please test if it works for you. # HG changeset patch # User Orgad Shaneh# Date 1496767054 -10800 # Tue Jun 06 19:37:34 2017 +0300 # Node ID 6c9b1238cf5c99ffc5a8a449ce738606e312350e # Parent 23bea7aaebe287722ec5b5252e145da55d7906a9 Configure: use .exe for binaries for all win32 compilers. diff --git a/auto/cc/bcc b/auto/cc/bcc --- a/auto/cc/bcc +++ b/auto/cc/bcc @@ -62,7 +62,6 @@ ngx_include_opt="-I" ngx_objout="-o" ngx_binout="-e" ngx_objext="obj" -ngx_binext=".exe" ngx_long_start='@&&| ' diff --git a/auto/cc/msvc b/auto/cc/msvc --- a/auto/cc/msvc +++ b/auto/cc/msvc @@ -142,7 +142,6 @@ ngx_pic_opt= ngx_objout="-Fo" ngx_binout="-Fe" ngx_objext="obj" -ngx_binext=".exe" ngx_long_start='@<< ' diff --git a/auto/cc/owc b/auto/cc/owc --- a/auto/cc/owc +++ b/auto/cc/owc @@ -84,7 +84,6 @@ ngx_include_opt="-i=" ngx_objout="-fo" ngx_binout="-fe=" ngx_objext="obj" -ngx_binext=".exe" ngx_regex_dirsep='\\' ngx_dirsep="\\" diff --git a/auto/os/win32 b/auto/os/win32 --- a/auto/os/win32 +++ b/auto/os/win32 @@ -13,6 +13,7 @@ NGX_ICONS="$NGX_WIN32_ICONS" SELECT_SRCS=$WIN32_SELECT_SRCS ngx_pic_opt= +ngx_binext=".exe" case "$NGX_CC_NAME" in -- Maxim Dounin http://nginx.org/ ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH] Fix compilation on MinGW64
Hello! On Tue, Jun 06, 2017 at 05:48:39PM +0300, Orgad Shaneh wrote: > On Tue, Jun 6, 2017 at 5:11 PM, Maxim Douninwrote: > > Hello! > > > > On Tue, Jun 06, 2017 at 01:57:39PM +0300, Orgad Shaneh wrote: > > > >> I already proposed a similar patch (without MSYS) on November, but it > >> was unnoticed since then. > >> --- > >> auto/configure | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> diff --git a/auto/configure b/auto/configure > >> index ceff15e4..107c2b5f 100755 > >> --- a/auto/configure > >> +++ b/auto/configure > >> @@ -36,7 +36,7 @@ if test -z "$NGX_PLATFORM"; then > >> NGX_PLATFORM="$NGX_SYSTEM:$NGX_RELEASE:$NGX_MACHINE"; > >> > >> case "$NGX_SYSTEM" in > >> -MINGW32_*) > >> +MINGW32_*|MINGW64_*|MSYS_*) > >> NGX_PLATFORM=win32 > >> ;; > >> esac > >> -- > >> 2.13.0.windows.1.7.g80a6209eb5 > > > > A review of your previous patch can be found here: > > > > http://mailman.nginx.org/pipermail/nginx-devel/2016-December/009233.html > > > > It still applies. > > > > -- > > Maxim Dounin > > http://nginx.org/ > > ___ > > nginx-devel mailing list > > nginx-devel@nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx-devel > > Thanks. I wasn't aware that I should stay subscribed to receive replies. You can unsubscribe and/or switch to write-only mode, but unless you've used Mail-Followup-To in your messages there will be no direct replies. > Posted a fixed patch (using Git, I hope you don't mind). Mercurial is really preferred, though I was able to import this particular patch. Queued with a couple of style fixes you've missed, thanks. -- Maxim Dounin http://nginx.org/ ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH] Use .exe for binaries for all win32 compilers
> http://mailman.nginx.org/pipermail/nginx-devel/2016-December/009234.html Thanks. It is needed with MSYS2 / gcc. Proposing a new patch: --- auto/cc/bcc | 1 - auto/cc/conf | 7 ++- auto/cc/msvc | 1 - auto/cc/owc | 1 - 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/auto/cc/bcc b/auto/cc/bcc index ec82e60f..e990a9f7 100644 --- a/auto/cc/bcc +++ b/auto/cc/bcc @@ -62,7 +62,6 @@ ngx_include_opt="-I" ngx_objout="-o" ngx_binout="-e" ngx_objext="obj" -ngx_binext=".exe" ngx_long_start='@&&| ' diff --git a/auto/cc/conf b/auto/cc/conf index afbca62b..7e1186b5 100644 --- a/auto/cc/conf +++ b/auto/cc/conf @@ -14,9 +14,14 @@ ngx_pic_opt="-fPIC" ngx_objout="-o " ngx_binout="-o " ngx_objext="o" -ngx_binext= ngx_modext=".so" +if [ "$NGX_PLATFORM" = win32 ]; then +ngx_binext=".exe" +else +ngx_binext= +fi + ngx_long_start= ngx_long_end= diff --git a/auto/cc/msvc b/auto/cc/msvc index 4eef1010..82572529 100644 --- a/auto/cc/msvc +++ b/auto/cc/msvc @@ -142,7 +142,6 @@ ngx_pic_opt= ngx_objout="-Fo" ngx_binout="-Fe" ngx_objext="obj" -ngx_binext=".exe" ngx_long_start='@<< ' diff --git a/auto/cc/owc b/auto/cc/owc index a063aa34..f7fd88c9 100644 --- a/auto/cc/owc +++ b/auto/cc/owc @@ -84,7 +84,6 @@ ngx_include_opt="-i=" ngx_objout="-fo" ngx_binout="-fe=" ngx_objext="obj" -ngx_binext=".exe" ngx_regex_dirsep='\\' ngx_dirsep="\\" -- 2.13.0.windows.1.7.g80a6209eb5 ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
[PATCH] Configure: Fix compilation on MSYS2 / MinGW64
--- auto/configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto/configure b/auto/configure index ceff15e4..107c2b5f 100755 --- a/auto/configure +++ b/auto/configure @@ -36,7 +36,7 @@ if test -z "$NGX_PLATFORM"; then NGX_PLATFORM="$NGX_SYSTEM:$NGX_RELEASE:$NGX_MACHINE"; case "$NGX_SYSTEM" in -MINGW32_*) +MINGW32_*|MINGW64_*|MSYS_*) NGX_PLATFORM=win32 ;; esac -- 2.13.0.windows.1.7.g80a6209eb5 ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH] Fix compilation on MinGW64
On Tue, Jun 6, 2017 at 5:11 PM, Maxim Douninwrote: > Hello! > > On Tue, Jun 06, 2017 at 01:57:39PM +0300, Orgad Shaneh wrote: > >> I already proposed a similar patch (without MSYS) on November, but it >> was unnoticed since then. >> --- >> auto/configure | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/auto/configure b/auto/configure >> index ceff15e4..107c2b5f 100755 >> --- a/auto/configure >> +++ b/auto/configure >> @@ -36,7 +36,7 @@ if test -z "$NGX_PLATFORM"; then >> NGX_PLATFORM="$NGX_SYSTEM:$NGX_RELEASE:$NGX_MACHINE"; >> >> case "$NGX_SYSTEM" in >> -MINGW32_*) >> +MINGW32_*|MINGW64_*|MSYS_*) >> NGX_PLATFORM=win32 >> ;; >> esac >> -- >> 2.13.0.windows.1.7.g80a6209eb5 > > A review of your previous patch can be found here: > > http://mailman.nginx.org/pipermail/nginx-devel/2016-December/009233.html > > It still applies. > > -- > Maxim Dounin > http://nginx.org/ > ___ > nginx-devel mailing list > nginx-devel@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel Thanks. I wasn't aware that I should stay subscribed to receive replies. Posted a fixed patch (using Git, I hope you don't mind). - Orgad ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH] Use .exe for binaries for all win32 compilers
Hello! On Tue, Jun 06, 2017 at 01:58:17PM +0300, Orgad Shaneh wrote: > --- > auto/cc/conf | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/auto/cc/conf b/auto/cc/conf > index afbca62b..19a231aa 100644 > --- a/auto/cc/conf > +++ b/auto/cc/conf > @@ -144,7 +144,9 @@ fi > CFLAGS="$CFLAGS $NGX_CC_OPT" > NGX_TEST_LD_OPT="$NGX_LD_OPT" > > -if [ "$NGX_PLATFORM" != win32 ]; then > +if [ "$NGX_PLATFORM" = win32 ]; then > +ngx_binext=".exe" > +else > > if test -n "$NGX_LD_OPT"; then > ngx_feature=--with-ld-opt=\"$NGX_LD_OPT\" > -- > 2.13.0.windows.1.7.g80a6209eb5 http://mailman.nginx.org/pipermail/nginx-devel/2016-December/009234.html -- Maxim Dounin http://nginx.org/ ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH] Fix compilation on MinGW64
Hello! On Tue, Jun 06, 2017 at 01:57:39PM +0300, Orgad Shaneh wrote: > I already proposed a similar patch (without MSYS) on November, but it > was unnoticed since then. > --- > auto/configure | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/auto/configure b/auto/configure > index ceff15e4..107c2b5f 100755 > --- a/auto/configure > +++ b/auto/configure > @@ -36,7 +36,7 @@ if test -z "$NGX_PLATFORM"; then > NGX_PLATFORM="$NGX_SYSTEM:$NGX_RELEASE:$NGX_MACHINE"; > > case "$NGX_SYSTEM" in > -MINGW32_*) > +MINGW32_*|MINGW64_*|MSYS_*) > NGX_PLATFORM=win32 > ;; > esac > -- > 2.13.0.windows.1.7.g80a6209eb5 A review of your previous patch can be found here: http://mailman.nginx.org/pipermail/nginx-devel/2016-December/009233.html It still applies. -- Maxim Dounin http://nginx.org/ ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH 3 of 3] Headers filter: added "add_trailer" directive
Hello! On Mon, Jun 05, 2017 at 09:59:45PM -0700, Piotr Sikora via nginx-devel wrote: > Hey Maxim, > > > It doesn't look like "if (h[i].value.value.len)" is needed here. > > It is either true, or the "add_trailer" directive is nop and we > > already know this while parsing the configuration. > > > > -if (h[i].value.value.len) { > > -r->expect_trailers = 1; > > -break; > > -} > > +r->expect_trailers = 1; > > +break; > > Well, both "add_header" and "add_trailer" allow setting something like: > > add_trailer Empty ""; > > which will get added to headers / trailers list. > > I've added this extra check to avoid forcing chunked encoding with > such configuration. > > Maybe we should reject it during configuration instead, or ignore this > case and let it force chunked encoding? Which one do you prefer? I think it is perfectly ok to ignore this and let if force chunked encoding (and this is what the suggested change does). -- Maxim Dounin http://nginx.org/ ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH 1 of 3] Added support for trailers in HTTP responses
Hello! On Mon, Jun 05, 2017 at 09:56:03PM -0700, Piotr Sikora via nginx-devel wrote: > Hey Maxim, > > > I would prefer to preserve the typical code path (when there are no > > trailers) without an extra allocation. It looks like it would be > > as trivail as: > > > > @@ -273,14 +273,18 @@ ngx_http_chunked_create_trailers(ngx_htt > > b->memory = 1; > > b->last_buf = 1; > > > > +if (len == sizeof(CRLF "0" CRLF CRLF) - 1) { > > +b->pos = (u_char *) CRLF "0" CRLF CRLF; > > +b->last = b->pos + sizeof(CRLF "0" CRLF CRLF) - 1; > > +return cl; > > +} > > Sounds good, but the if statement reads a bit weird. > > What about this instead, even though it might be a bit more expensive? > > @@ -236,7 +236,7 @@ ngx_http_chunked_create_trailers(ngx_http_request_t *r, > ngx_list_part_t *part; > ngx_table_elt_t *header; > > -len = sizeof(CRLF "0" CRLF CRLF) - 1; > +len = 0; > > part = >headers_out.trailers.part; > header = part->elts; > @@ -273,12 +273,14 @@ ngx_http_chunked_create_trailers(ngx_http_request_t *r, > b->memory = 1; > b->last_buf = 1; > > -if (len == sizeof(CRLF "0" CRLF CRLF) - 1) { > +if (len == 0) { > b->pos = (u_char *) CRLF "0" CRLF CRLF; > b->last = b->pos + sizeof(CRLF "0" CRLF CRLF) - 1; > return cl; > } > > +len += sizeof(CRLF "0" CRLF CRLF) - 1; > + > b->pos = ngx_palloc(r->pool, len); > if (b->pos == NULL) { > return NULL; I've tried this as well, and decided that "if (len == sizeof(...))" is slightly more readable, and also produces smaller patch to your code. No strict preference though, feel free to use any variant you think is better. -- Maxim Dounin http://nginx.org/ ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
[PATCH] Use .exe for binaries for all win32 compilers
--- auto/cc/conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/auto/cc/conf b/auto/cc/conf index afbca62b..19a231aa 100644 --- a/auto/cc/conf +++ b/auto/cc/conf @@ -144,7 +144,9 @@ fi CFLAGS="$CFLAGS $NGX_CC_OPT" NGX_TEST_LD_OPT="$NGX_LD_OPT" -if [ "$NGX_PLATFORM" != win32 ]; then +if [ "$NGX_PLATFORM" = win32 ]; then +ngx_binext=".exe" +else if test -n "$NGX_LD_OPT"; then ngx_feature=--with-ld-opt=\"$NGX_LD_OPT\" -- 2.13.0.windows.1.7.g80a6209eb5 ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
[PATCH] Fix compilation on MinGW64
I already proposed a similar patch (without MSYS) on November, but it was unnoticed since then. --- auto/configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto/configure b/auto/configure index ceff15e4..107c2b5f 100755 --- a/auto/configure +++ b/auto/configure @@ -36,7 +36,7 @@ if test -z "$NGX_PLATFORM"; then NGX_PLATFORM="$NGX_SYSTEM:$NGX_RELEASE:$NGX_MACHINE"; case "$NGX_SYSTEM" in -MINGW32_*) +MINGW32_*|MINGW64_*|MSYS_*) NGX_PLATFORM=win32 ;; esac -- 2.13.0.windows.1.7.g80a6209eb5 ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH 2 of 3] HTTP/2: added support for trailers in HTTP responses
On 05/06/2017 21:00, Maxim Dounin wrote: > Hello! > > On Fri, Jun 02, 2017 at 08:33:46PM -0700, Piotr Sikora via nginx-devel wrote: > >> # HG changeset patch >> # User Piotr Sikora>> # Date 1493191954 25200 >> # Wed Apr 26 00:32:34 2017 -0700 >> # Node ID 8d74ff6c2015180f5c1f399f492214d7d0a52b3f >> # Parent 41c09a2fd90410e25ad8515793bd48028001c954 >> HTTP/2: added support for trailers in HTTP responses. >> >> Signed-off-by: Piotr Sikora > > I've asked Valentin to look into this part. Hopefully he'll be > able to do so in a couple of days. > > [...] > To be precise and to avoid confusion: Valentin is on the conf today so expect his feedback this week. -- Maxim Konovalov ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel