Add support for PSK cipher suites patch

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Add support for PSK cipher suites patch

Sékine Coulibaly
Nate,Maxim,
I found a patch here (http://mailman.nginx.org/pipermail/nginx-devel/2017-September/010449.html) regarding the PSK spport in Nginx. I can not make the new parameter ssl_psk_file work.
I applied it to release-1.13.5 successfully.
I updated my nginx.conf to 
stream {
  upstream dtls_udp_upstreams {
    hash $remote_addr:remote_port;
    server preprod.mycorp.com:5685;
  }


  server {
    listen 5684 udp ssl;
    ssl_protocols DTLSv1.2;
    ssl_ciphers PSK-AES128-CBC-SHA;
    ssl_psk_file /tmp/cred.txt;
    ssl_certificate /tmp/server.pem;
    ssl_certificate_key /tmp/server.key;
    proxy_pass dtls_udp_upstreams;
  }

My issue is that although /tmp/cred.txt file exists, Nginx returns :
nginx: [emerg] unknown directive "ssl_psk_file" in /tmp/nginx.conf:26.

I checked the source files, it looks like the patch has been correctly applied.
Would you mind posting the complete/corrected patch I could apply and test ?
I'm using DTLS client with PSK load-balancer and I could experiment the setup.

My patching application looks like :
git checkout release-1.13.5
patch -p1 -i pskpatch.diff

Thank you !

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Add support for PSK cipher suites patch

Maxim Dounin
Hello!

On Thu, Jan 25, 2018 at 05:07:03PM +0100, Sékine Coulibaly wrote:

> Nate,Maxim,
>
> I found a patch here
> (http://mailman.nginx.org/pipermail/nginx-devel/2017-September/010449.html)
> regarding the PSK spport in Nginx. I can not make the new parameter
> ssl_psk_file work.
>
> I applied it to release-1.13.5 successfully.
>
> I updated my nginx.conf to
>
> stream {
>   upstream dtls_udp_upstreams {
>     hash $remote_addr:remote_port;
>     server preprod.mycorp.com:5685;
>   }
>
>
>   server {
>     listen 5684 udp ssl;
>     ssl_protocols DTLSv1.2;
>     ssl_ciphers PSK-AES128-CBC-SHA;
>     ssl_psk_file /tmp/cred.txt;
>     ssl_certificate /tmp/server.pem;
>     ssl_certificate_key /tmp/server.key;
>     proxy_pass dtls_udp_upstreams;
>   }
>
> My issue is that although /tmp/cred.txt file exists, Nginx returns :
>
> nginx: [emerg] unknown directive "ssl_psk_file" in /tmp/nginx.conf:26.
>
>
> I checked the source files, it looks like the patch has been correctly applied.
>
> Would you mind posting the complete/corrected patch I could apply and test ?
>
> I'm using DTLS client with PSK load-balancer and I could experiment the setup.

The patches in question does not try to provide relevant
functionality to the stream module, they are http-only.

Also please note that DTLS support isn't available either.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Add support for PSK cipher suites patch

Sékine Coulibaly
In reply to this post by Sékine Coulibaly
Nate,

In the meanwhile I followed the thread and actually found your revised patches. I was able to apply them successfully.

I realised I didn't ran configure with the --with-http-ssl flag (since I don't use http) when building nginx. This explains why the ssl_psk_file was not recognized. After building http module, the parameter was recognized properly.

However, since I use stream and not http, I'll not be able to test this patch since it only wotks for ssl http module.

Regarding the PSK, in a DTLS use case I prefer loading the PSK file on startup in an in-memory store for example. Then, if some keys are to be changed while the server is running, the in-memory store is refreshed without stopping the server (think SIGHUP or reload). This avoid all clients being disconnected when the server is restarted to reload the PSK file.

Would any progress being made on this on the stream module I'll be able to give it a try.

Thank you ! 


2018-01-26 5:14 GMT+01:00 Karstens, Nate <[hidden email]>:

Sékine,

 

The link you sent is old, the latest set of patches is here:

 

http://mailman.nginx.org/pipermail/nginx-devel/2017-September/010460.html

 

Does that improve things?

 

These were developed using TLS, not DTLS. I don’t have any experience with DTLS, so that might be unrelated.

 

One of the conversations we had earlier in the development process was choosing between two different approaches to managing the PSK file:

 

  1. The PSK file may be updated as needed (so it must be readable by the worker threads). This is the approach used with the current patches.
  2. The PSK file is read into memory once at startup by the master process. This allows the file permissions to be read only for root, but requires the config file to be refreshed if the PSK file is changed.

 

Would you mind providing feedback on which approach works better for your environment, and why? Sending it to the mailing list is preferred, or you can just reply to this email.

 

Thanks,

 

Nate

 

From: Sékine Coulibaly [mailto:[hidden email]]
Sent: Thursday, January 25, 2018 10:23 AM
To: Karstens, Nate <[hidden email]>; [hidden email]
Subject: Fwd: Add support for PSK cipher suites patch

 

 

---------- Forwarded message ----------
From: Sékine Coulibaly <[hidden email]>
Date: 2018-01-25 17:07 GMT+01:00
Subject: Add support for PSK cipher suites patch
To: [hidden email]

Nate,Maxim,
I found a patch here (http://mailman.nginx.org/pipermail/nginx-devel/2017-September/010449.html) regarding the PSK spport in Nginx. I can not make the new parameter ssl_psk_file work.
I applied it to release-1.13.5 successfully.
I updated my nginx.conf to 
stream {
  upstream dtls_udp_upstreams {
    hash $remote_addr:remote_port;
    server preprod.mycorp.com:5685;
  }
 
 
  server {
    listen 5684 udp ssl;
    ssl_protocols DTLSv1.2;
    ssl_ciphers PSK-AES128-CBC-SHA;
    ssl_psk_file /tmp/cred.txt;
    ssl_certificate /tmp/server.pem;
    ssl_certificate_key /tmp/server.key;
    proxy_pass dtls_udp_upstreams;
  }
 
My issue is that although /tmp/cred.txt file exists, Nginx returns :
nginx: [emerg] unknown directive "ssl_psk_file" in /tmp/nginx.conf:26.
 
I checked the source files, it looks like the patch has been correctly applied.
Would you mind posting the complete/corrected patch I could apply and test ?
I'm using DTLS client with PSK load-balancer and I could experiment the setup.
 
My patching application looks like :
git checkout release-1.13.5
patch -p1 -i pskpatch.diff
 
Thank you !

 




CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you.


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx