Skip to content

Commit

Permalink
Add TLS 1.3 support
Browse files Browse the repository at this point in the history
  • Loading branch information
@grahamedgecombe
grahamedgecombe committed Apr 27, 2017
1 parent d36ad25 commit 8b53397
Show file tree
Hide file tree
Showing 2 changed files with 53 additions and 19 deletions.
66 changes: 47 additions & 19 deletions ngx_ssl_ct_module.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -172,45 +172,73 @@ char *ngx_ssl_ct_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child,

#ifndef OPENSSL_IS_BORINGSSL
/* add OpenSSL TLS extension */
# if OPENSSL_VERSION_NUMBER >= 0x10101000L
int context = SSL_EXT_CLIENT_HELLO
| SSL_EXT_TLS1_2_SERVER_HELLO
| SSL_EXT_TLS1_3_CERTIFICATE;
if (SSL_CTX_add_custom_ext(ssl_ctx, NGX_SSL_CT_EXT, context,
&ngx_ssl_ct_ext_cb, NULL, NULL, NULL, NULL) == 0)
{
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"SSL_CTX_add_custom_ext failed");
return NGX_CONF_ERROR;
}
# else
if (SSL_CTX_add_server_custom_ext(ssl_ctx, NGX_SSL_CT_EXT,
&ngx_ssl_ct_ext_cb, NULL, NULL, NULL, NULL) == 0)
{
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"SSL_CTX_add_server_custom_ext failed");
return NGX_CONF_ERROR;
}
# endif
#endif

return NGX_CONF_OK;
}

#ifndef OPENSSL_IS_BORINGSSL
int ngx_ssl_ct_ext_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
size_t *outlen, int *al, void *add_arg)
# if OPENSSL_VERSION_NUMBER >= 0x10101000L
int ngx_ssl_ct_ext_cb(SSL *s, unsigned int ext_type, unsigned int context,
const unsigned char **out, size_t *outlen, X509 *x, size_t chainidx,
int *al, void *add_arg)
{
/* get the cert OpenSSL chose to use for this connection */
int result = SSL_set_current_cert(s, SSL_CERT_SET_SERVER);
if (result == 2) {
/*
* Anonymous/PSK cipher suites don't use certificates, so don't attempt
* to add the SCT extension to the ServerHello.
*/
/* only include SCTs in the end-entity certificate */
if (context == SSL_EXT_TLS1_3_CERTIFICATE && chainidx != 0) {
return 0;
} else if (result != 1) {
ngx_connection_t *c = ngx_ssl_get_connection(s);
ngx_log_error(NGX_LOG_WARN, c->log, 0, "SSL_set_current_cert failed");
return -1;
}
# else
int ngx_ssl_ct_ext_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
size_t *outlen, int *al, void *add_arg)
{
X509 *x = NULL;
# endif

X509 *x509 = SSL_get_certificate(s);
if (!x509) {
/* as above */
return 0;
if (!x)
{
/* get the cert OpenSSL chose to use for this connection */
int result = SSL_set_current_cert(s, SSL_CERT_SET_SERVER);
if (result == 2) {
/*
* Anonymous/PSK cipher suites don't use certificates, so don't attempt
* to add the SCT extension to the ServerHello.
*/
return 0;
} else if (result != 1) {
ngx_connection_t *c = ngx_ssl_get_connection(s);
ngx_log_error(NGX_LOG_WARN, c->log, 0, "SSL_set_current_cert failed");
return -1;
}

x = SSL_get_certificate(s);
if (!x) {
/* as above */
return 0;
}
}

/* get sct_list for the cert OpenSSL chose to use for this connection */
ngx_ssl_ct_ext *sct_list = X509_get_ex_data(x509,
ngx_ssl_ct_sct_list_index);
ngx_ssl_ct_ext *sct_list = X509_get_ex_data(x, ngx_ssl_ct_sct_list_index);

if (sct_list) {
*out = sct_list->buf;
Expand Down
6 changes: 6 additions & 0 deletions ngx_ssl_ct_module.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,14 @@ typedef struct

ngx_int_t ngx_ssl_ct_init(ngx_log_t *log);
#ifndef OPENSSL_IS_BORINGSSL
# if OPENSSL_VERSION_NUMBER >= 0x10101000L
int ngx_ssl_ct_ext_cb(SSL *s, unsigned int ext_type, unsigned int context,
const unsigned char **out, size_t *outlen, X509 *x, size_t chainidx,
int *al, void *add_arg);
# else
int ngx_ssl_ct_ext_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
size_t *outlen, int *al, void *add_arg);
# endif
#endif
ngx_ssl_ct_ext *ngx_ssl_ct_read_static_scts(ngx_conf_t *cf, ngx_str_t *path);
void *ngx_ssl_ct_create_srv_conf(ngx_conf_t *cf);
Expand Down

6 comments on commit 8b53397

@alexyangjie
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,

I am trying to build against openssl tls1.3-draft-18 branch of openssl, and get this error.

/home/alex/workspace/nginx-ct/ngx_ssl_ct_module.c: In function ‘ngx_ssl_ct_merge_srv_conf’:
/home/alex/workspace/nginx-ct/ngx_ssl_ct_module.c:164:19: error: ‘SSL_EXT_CLIENT_HELLO’ undeclared (first use in this function)
int context = SSL_EXT_CLIENT_HELLO
^
/home/alex/workspace/nginx-ct/ngx_ssl_ct_module.c:164:19: note: each undeclared identifier is reported only once for each function it appears in
/home/alex/workspace/nginx-ct/ngx_ssl_ct_module.c:165:19: error: ‘SSL_EXT_TLS1_2_SERVER_HELLO’ undeclared (first use in this function)
| SSL_EXT_TLS1_2_SERVER_HELLO
^
/home/alex/workspace/nginx-ct/ngx_ssl_ct_module.c:166:19: error: ‘SSL_EXT_TLS1_3_CERTIFICATE’ undeclared (first use in this function)
| SSL_EXT_TLS1_3_CERTIFICATE;
^
/home/alex/workspace/nginx-ct/ngx_ssl_ct_module.c:167:5: error: implicit declaration of function ‘SSL_CTX_add_custom_ext’ [-Werror=implicit-function-declaration]
if (SSL_CTX_add_custom_ext(ssl_ctx, NGX_SSL_CT_EXT, context,
^
/home/alex/workspace/nginx-ct/ngx_ssl_ct_module.c: In function ‘ngx_ssl_ct_ext_cb’:
/home/alex/workspace/nginx-ct/ngx_ssl_ct_module.c:192:20: error: ‘SSL_EXT_TLS1_3_CERTIFICATE’ undeclared (first use in this function)
if (context == SSL_EXT_TLS1_3_CERTIFICATE && chainidx != 0) {
^
cc1: all warnings being treated as errors
make[1]: *** [objs/addon/nginx-ct/ngx_ssl_ct_module.o] Error 1
make[1]: Leaving directory `/home/alex/workspace/nginx/nginx-1.13.0'
make: *** [build] Error 2

Which version of openssl does this commit support? Thanks.

@grahamedgecombe
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The master branch.

@Wonderfall
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same for me. It seems it won't work with the tls1.3-draft-18 branch.

@grahamedgecombe
Copy link
Owner Author

@grahamedgecombe grahamedgecombe commented on 8b53397 May 3, 2017
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, the tls1.3-draft-18 branch doesn't have the new custom extension functions, which I think means the custom extension won't work in TLS 1.3 connections anyway - so adding support seems pointless.

@plinss
Copy link

@plinss plinss commented on 8b53397 May 9, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW, looks like the CT extension may need to be moved to the EncryptedExtensions message for TLS1.3, see:
https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/ (Custom Extensions and Certificate Transparency)

@grahamedgecombe
Copy link
Owner Author

@grahamedgecombe grahamedgecombe commented on 8b53397 May 10, 2017
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@plinss: this commit moves it to the Certificate message as per the table on page 39 of draft-ietf-tls-tls13-20.

Please sign in to comment.