Sékine Coulibaly
Add support for PSK cipher suites patch
January 25, 2018 05:10PM
Nate,Maxim,

I found a patch here
(http://mailman.nginx.org/pipermail/nginx-devel/2017-September/010449.html)
regarding the PSK spport in Nginx. I can not make the new parameter
ssl_psk_file work.

I applied it to release-1.13.5 successfully.

I updated my nginx.conf to

stream {
upstream dtls_udp_upstreams {
hash $remote_addr:remote_port;
server preprod.mycorp.com:5685;
}


server {
listen 5684 udp ssl;
ssl_protocols DTLSv1.2;
ssl_ciphers PSK-AES128-CBC-SHA;
ssl_psk_file /tmp/cred.txt;
ssl_certificate /tmp/server.pem;
ssl_certificate_key /tmp/server.key;
proxy_pass dtls_udp_upstreams;
}

My issue is that although /tmp/cred.txt file exists, Nginx returns :

nginx: [emerg] unknown directive "ssl_psk_file" in /tmp/nginx.conf:26.


I checked the source files, it looks like the patch has been correctly applied.

Would you mind posting the complete/corrected patch I could apply and test ?

I'm using DTLS client with PSK load-balancer and I could experiment the setup.


My patching application looks like :

git checkout release-1.13.5

patch -p1 -i pskpatch.diff


Thank you !
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Maxim Dounin
Re: Add support for PSK cipher suites patch
January 25, 2018 05:30PM
Hello!

On Thu, Jan 25, 2018 at 05:07:03PM +0100, Sékine Coulibaly wrote:

> Nate,Maxim,
>
> I found a patch here
> (http://mailman.nginx.org/pipermail/nginx-devel/2017-September/010449.html)
> regarding the PSK spport in Nginx. I can not make the new parameter
> ssl_psk_file work.
>
> I applied it to release-1.13.5 successfully.
>
> I updated my nginx.conf to
>
> stream {
> upstream dtls_udp_upstreams {
> hash $remote_addr:remote_port;
> server preprod.mycorp.com:5685;
> }
>
>
> server {
> listen 5684 udp ssl;
> ssl_protocols DTLSv1.2;
> ssl_ciphers PSK-AES128-CBC-SHA;
> ssl_psk_file /tmp/cred.txt;
> ssl_certificate /tmp/server.pem;
> ssl_certificate_key /tmp/server.key;
> proxy_pass dtls_udp_upstreams;
> }
>
> My issue is that although /tmp/cred.txt file exists, Nginx returns :
>
> nginx: [emerg] unknown directive "ssl_psk_file" in /tmp/nginx.conf:26.
>
>
> I checked the source files, it looks like the patch has been correctly applied.
>
> Would you mind posting the complete/corrected patch I could apply and test ?
>
> I'm using DTLS client with PSK load-balancer and I could experiment the setup.

The patches in question does not try to provide relevant
functionality to the stream module, they are http-only.

Also please note that DTLS support isn't available either.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sékine Coulibaly
Re: Add support for PSK cipher suites patch
January 26, 2018 10:00AM
Nate,

In the meanwhile I followed the thread and actually found your revised
patches. I was able to apply them successfully.

I realised I didn't ran configure with the --with-http-ssl flag (since I
don't use http) when building nginx. This explains why the ssl_psk_file was
not recognized. After building http module, the parameter was recognized
properly.

However, since I use stream and not http, I'll not be able to test this
patch since it only wotks for ssl http module.

Regarding the PSK, in a DTLS use case I prefer loading the PSK file on
startup in an in-memory store for example. Then, if some keys are to be
changed while the server is running, the in-memory store is refreshed
without stopping the server (think SIGHUP or reload). This avoid all
clients being disconnected when the server is restarted to reload the PSK
file.

Would any progress being made on this on the stream module I'll be able to
give it a try.

Thank you !


2018-01-26 5:14 GMT+01:00 Karstens, Nate <[email protected]>:

> Sékine,
>
>
>
> The link you sent is old, the latest set of patches is here:
>
>
>
> http://mailman.nginx.org/pipermail/nginx-devel/2017-September/010460.html
>
>
>
> Does that improve things?
>
>
>
> These were developed using TLS, not DTLS. I don’t have any experience with
> DTLS, so that might be unrelated.
>
>
>
> One of the conversations we had earlier in the development process was
> choosing between two different approaches to managing the PSK file:
>
>
>
> 1. The PSK file may be updated as needed (so it must be readable by
> the worker threads). This is the approach used with the current patches.
> 2. The PSK file is read into memory once at startup by the master
> process. This allows the file permissions to be read only for root, but
> requires the config file to be refreshed if the PSK file is changed.
>
>
>
> Would you mind providing feedback on which approach works better for your
> environment, and why? Sending it to the mailing list is preferred, or you
> can just reply to this email.
>
>
>
> Thanks,
>
>
>
> Nate
>
>
>
> *From:* Sékine Coulibaly [mailto:[email protected]]
> *Sent:* Thursday, January 25, 2018 10:23 AM
> *To:* Karstens, Nate <[email protected]>; mdounin@mdounin.ru
> *Subject:* Fwd: Add support for PSK cipher suites patch
>
>
>
>
>
> ---------- Forwarded message ----------
> From: *Sékine Coulibaly* <[email protected]>
> Date: 2018-01-25 17:07 GMT+01:00
> Subject: Add support for PSK cipher suites patch
> To: nginx@nginx.org
>
> Nate,Maxim,
>
> I found a patch here (http://mailman.nginx.org/pipermail/nginx-devel/2017-September/010449.html) regarding the PSK spport in Nginx. I can not make the new parameter ssl_psk_file work.
>
> I applied it to release-1.13.5 successfully.
>
> I updated my nginx.conf to
>
> stream {
>
> upstream dtls_udp_upstreams {
>
> hash $remote_addr:remote_port;
>
> server preprod.mycorp.com:5685;
>
> }
>
>
>
>
>
> server {
>
> listen 5684 udp ssl;
>
> ssl_protocols DTLSv1.2;
>
> ssl_ciphers PSK-AES128-CBC-SHA;
>
> ssl_psk_file /tmp/cred.txt;
>
> ssl_certificate /tmp/server.pem;
>
> ssl_certificate_key /tmp/server.key;
>
> proxy_pass dtls_udp_upstreams;
>
> }
>
>
>
> My issue is that although /tmp/cred.txt file exists, Nginx returns :
>
> nginx: [emerg] unknown directive "ssl_psk_file" in /tmp/nginx.conf:26.
>
>
>
> I checked the source files, it looks like the patch has been correctly applied.
>
> Would you mind posting the complete/corrected patch I could apply and test ?
>
> I'm using DTLS client with PSK load-balancer and I could experiment the setup.
>
>
>
> My patching application looks like :
>
> git checkout release-1.13.5
>
> patch -p1 -i pskpatch.diff
>
>
>
> Thank you !
>
>
>
> ------------------------------
>
> CONFIDENTIALITY NOTICE: This email and any attachments are for the sole
> use of the intended recipient(s) and contain information that may be Garmin
> confidential and/or Garmin legally privileged. If you have received this
> email in error, please notify the sender by reply email and delete the
> message. Any disclosure, copying, distribution or use of this communication
> (including attachments) by someone other than the intended recipient is
> prohibited. Thank you.
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login