-
Notifications
You must be signed in to change notification settings - Fork 2k
feature: ssl: add FFI function to set SSL ciphers #961
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
ghedo
wants to merge
1
commit into
openresty:master
Choose a base branch
from
ghedo:ssl_set_ciphers
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ghedo I wonder if you really need per-connection ciphers. Maybe you just need a per-domain cipher suite? If it's the latter, then we can just reuse a domain-level SSL ctx to avoid per-request cipher name parsing and setting.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or maybe we can simply set a parsed SSL cipher suite C data structure to avoid the string parsing here on a hot code path?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes I agree that calling
SSL_set_cipher_list
on a per request basis is a terrible idea as it both has lots ofmalloc
along the way and the cipher search algorithm is linear.Better way of doing this is to store the cipher stack created by OpenSSL once and reuse them later in new connections with some kind of Lua handle (e.g. cdata).
There may be other way that's better but I haven't looked too much into other OpenSSL cipher related APIs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ooops, missed these comments...
Anyway, the function is intended to be used in
ssl_cert_by_lua
, so per-connection, not per-request, and even then not all connections (otherwise you might as well usessl_protocols
in the config).AFAICT there's no OpenSSL API that would allow you to parse a cipher string into an array or stack of SSL_CIPHER, without actually changing the cipher list on an SSL or SSL_CTX struct. And even then, there's no OpenSSL API to set a cipher list from an array or stack of SSL_CIPHER. Did you have anything specific in mind?
In any case the overhead of
SSL_set_cipher_list()
is really not that bad, and even if it was too slow/heavy for whatever use case (which would likely prevent other OpenResty APIs from being used as well), nobody would be forced to use this.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ghedo Well, I think we are just trying to do it right :) BTW, have you actually measured the overhead of parsing and loading long cipher strings in this context?