tree: 0b4ad1dd57da2322a2fee62aab41c4ce414dec00 [path history] [download]
  1. CHANGES
  2. CHANGES.ru
  3. LICENSE
  4. README
  5. README.md
  6. auto/
  7. conf/
  8. configure
  9. contrib/
  10. debian/
  11. html/
  12. man/
  13. src/
README.md

nginx-polarssl

nginx with support for PolarSSL.

Overview

This is a fork of the nginx development branch that allows the user to use PolarSSL instead of OpenSSL. This may be useful for those seeking to further minimise the memory footprint of the webserver, or for those that happen to dislike OpenSSL for some reason.

Motivation

PolarSSL seemed like an amazing library and the author felt that a simple project to get used to the APIs was the best way to learn it's internals. Additionally there are not many webservers that use SSL libraries other than OpenSSL (Hiawatha is a notable exception), and there should be more.

Installation

See nginx's installation options for how to configure/install nginx.

This fork adds:

--with-polarssl - Attempt to use the system PolarSSL installation.
--with-polarssl=path - Compile nginx statically with the PolarSSL source code located at "path".

For example:

./configure --with-http_ssl_module --with-polarssl=~/Packages/polarssl-1.2.5
gmake
gmake install

Note that due to the Makefiles shipped by PolarSSL using GNU make style conditionals, GNU make must be used if --with-polarssl=path is used.

Configuration

With a few exceptions configuration is identical to the standard SSL support.

  • ssl_protocols does not support “SSLv2”.
  • ssl_engine is not a valid config option when using PolarSSL.
  • ssl_prefer_server_ciphers has no effect.
  • ssl_session_cache builtin is not supported.
  • ssl_ciphers_list expects a ‘:’ separated list of cipher suites.
  • ssl_stapling and related options are not supported.

Supported Ciphersuites

  • TLS-RSA-WITH-RC4-128-MD5
  • TLS-RSA-WITH-RC4-128-SHA
  • TLS-RSA-WITH-3DES-EDE-CBC-SHA
  • TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
  • TLS-RSA-WITH-AES-128-CBC-SHA
  • TLS-DHE-RSA-WITH-AES-128-CBC-SHA
  • TLS-RSA-WITH-AES-256-CBC-SHA
  • TLS-DHE-RSA-WITH-AES-256-CBC-SHA
  • TLS-RSA-WITH-AES-128-CBC-SHA256
  • TLS-RSA-WITH-AES-256-CBC-SHA256
  • TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
  • TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
  • TLS-RSA-WITH-CAMELLIA-128-CBC-SHA
  • TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
  • TLS-RSA-WITH-CAMELLIA-256-CBC-SHA
  • TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
  • TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256
  • TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256
  • TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256
  • TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256
  • TLS-RSA-WITH-AES-128-GCM-SHA256
  • TLS-RSA-WITH-AES-256-GCM-SHA384
  • TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
  • TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

Note: This depends on what ciphers were compiled into PolarSSL at build time. Additionally certain extremely weak ciphersuites are explicitly not supported by nginx-polarssl.

Know Issues/Implementation Differences

nginx-polarssl Issues:

PolarSSL Issues:

Implementation differences:

  • SSLv2.0 is not supported, and will not be supported.
  • OCSP stapling is not and more than likely will not be supported.
  • ECDH is not yet supported by PolarSSL.

License

The changes added by nginx-polarssl are distrubuted under the nginx license (Also see https://polarssl.org/foss-license-exception and https://twitter.com/polarssl/status/302083038261678080).