SSL: allow configuring providers with "ssl_provider ...". #710
Conversation
|
I think if we have an entry to represent OpenSSL v3.0's querystrings, it will be much more useful. Because it helps to for example enable fips by passing that querystring to algorithms. This cannot be achieved via configuration file well. Something like this: Though, it is completely openssl related configuration. |
|
Hello @bavshin-f5, very interesting. It seems to me that specifying the I think this new |
|
@josuerocha |
|
Thank you for your response, @afshinpir . I have a more specific follow-up question: As of NGINX version 1.25.4, is it possible to configure OpenSSL providers, via an OpenSSL configuration file, in such a way that the provider's key and certificate can be used by NGINX to establish TLS connections? From what I understand, the pull request you referenced enables selecting specific keys. However, is it also possible for the provider to expose a default key that NGINX could use without explicitly selecting it? |
Posting just for completeness, as I'm not convinced we need to support this. Everything in this PR is achievable via
OPENSSL_CONF.On the other hand, we already have
ssl_engine device;that duplicates openssl.cnf functionality (default_algorithms = ALLin the engine section).Currently does not support tracking and unloading providers added through the nginx.conf.
OSSL_PROVIDER_unload()does not actually unload and teardown the provider, but it unregisters the store URI schemes and algorithm implementations and allows re-loading the provider with different configuration, which seems useful.See also: https://github.com/openssl/openssl/blob/master/doc/designs/ossl-provider-load-ex.md