Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discussion for implementing SSL directives #342

Open
2 of 21 tasks
keizo042 opened this issue Feb 16, 2018 · 2 comments
Open
2 of 21 tasks

Discussion for implementing SSL directives #342

keizo042 opened this issue Feb 16, 2018 · 2 comments

Comments

@keizo042
Copy link
Contributor

keizo042 commented Feb 16, 2018
edited
Loading

I'd like to discuss which ssl handers are needed in order to improve SSL experience of ngx_mruby.

There are already some work that handler in SSL.
first great work is mruby_ssl_handshake_handler.
I'm working mruby_ssl_verify_client_handler and mruby_ssl_client_hello_handler.

in OpenSSL-1.0.2g, server side APIs as below, result of
$ cat ssl.h |grep -e callback -e cb |grep SSL_CTX |grep set | grep -v -e client -e '#'.

in the checklist , We check which API we need.

  • void SSL_CTX_set_msg_callback(SSL_CTX *ctx,
  • void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
  • void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
  • void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
  • void SSL_CTX_set_info_callback(SSL_CTX *ctx,
  • void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
  • void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
  • void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *s,
  • void SSL_CTX_set_next_proto_select_cb(SSL_CTX *s,
  • void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
  • void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx,
  • void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
  • void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cb) (SSL *ssl, void *arg),
  • void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
  • void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
  • int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
  • int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
  • int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg);
  • void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
  • void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
  • void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,
matsumotory added a commit that referenced this issue Feb 19, 2018
@matsumotory
Create v2.0.0 dev branch
29f5be8 
v2.0.0 feature

- some tls feature #342
- Support async frame
- Add Nginx::Async.sleep
- Add Nginx::Async.http_client
@matsumotory matsumotory mentioned this issue Feb 19, 2018
Merged
3 tasks
@keizo042
Copy link
Contributor Author

I'm sorry SSL_CTX_set_next_proto_select_cb is client-side API so it will be dropped.

It seems that almost hooks are useful and no problem to imlement.
Maybe, providing ephemeral key exchange hooks to non-expert of SSL/TLS is Unfavorable.

What do you think about implementing directives using ephemeral key exchange hooks.

@matsumotory
Copy link
Owner

looks good. If we can implement version compatibility of openssl properly we would like to release as much new functionality as possible

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@matsumotory @keizo042