nginx-polarssl

nginx with support for PolarSSL.

Overview

This is a fork of the nginx development branch that allows the user to use PolarSSL instead of OpenSSL. This may be useful for those seeking to further minimise the memory footprint of the webserver, or for those that happen to dislike OpenSSL for some reason.

Motivation

PolarSSL seemed like an amazing library and the author felt that a simple project to get used to the APIs was the best way to learn it's internals. Additionally there are not many webservers that use SSL libraries other than OpenSSL (Hiawatha is a notable exception), and there should be more.

Installation

Ubuntu Saucy

Import my gpg public-key:

wget -O http://alinefr-ubuntu.s3.amazonaws.com/conf/aline.gpg.key|sudo apt-key add -

Then add this line in your /etc/apt/sources.list

deb http://alinefr-ubuntu.s3.amazonaws.com saucy main

Then you just need to

sudo aptitude install nginx-polarssl

You could choose one of the default flavours, which works in the same way as the nginx official packages, which are light, full, extras or naxsi, for example:

sudo aptitude install nginx-polarssl-extras

Building

See nginx's installation options for how to configure/install nginx.

This fork adds:

--with-polarssl - Attempt to use the system PolarSSL installation.
--with-polarssl=path - Compile nginx statically with the PolarSSL source code located at "path".

For example:

./configure --with-http_ssl_module --with-polarssl=~/Packages/polarssl-1.2.5
gmake
gmake install

Note that due to the Makefiles shipped by PolarSSL using GNU make style conditionals, GNU make must be used if --with-polarssl=path is used.

Configuration

With a few exceptions configuration is identical to the standard SSL support.

  • ssl_protocols does not support “SSLv2”.
  • ssl_engine is not a valid config option when using PolarSSL.
  • ssl_prefer_server_ciphers has no effect.
  • ssl_session_cache builtin is not supported.
  • ssl_ciphers_list expects a ‘:’ separated list of cipher suites.
  • ssl_stapling and related options are not supported.

Supported Ciphersuites

  • TLS-RSA-WITH-RC4-128-MD5
  • TLS-RSA-WITH-RC4-128-SHA
  • TLS-RSA-WITH-3DES-EDE-CBC-SHA
  • TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
  • TLS-RSA-WITH-AES-128-CBC-SHA
  • TLS-DHE-RSA-WITH-AES-128-CBC-SHA
  • TLS-RSA-WITH-AES-256-CBC-SHA
  • TLS-DHE-RSA-WITH-AES-256-CBC-SHA
  • TLS-RSA-WITH-AES-128-CBC-SHA256
  • TLS-RSA-WITH-AES-256-CBC-SHA256
  • TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
  • TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
  • TLS-RSA-WITH-CAMELLIA-128-CBC-SHA
  • TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
  • TLS-RSA-WITH-CAMELLIA-256-CBC-SHA
  • TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
  • TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256
  • TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256
  • TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256
  • TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256
  • TLS-RSA-WITH-AES-128-GCM-SHA256
  • TLS-RSA-WITH-AES-256-GCM-SHA384
  • TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
  • TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

Note: This depends on what ciphers were compiled into PolarSSL at build time. Additionally certain extremely weak ciphersuites are explicitly not supported by nginx-polarssl.

Know Issues/Implementation Differences

nginx-polarssl Issues:

PolarSSL Issues:

Implementation differences:

  • SSLv2.0 is not supported, and will not be supported.
  • OCSP stapling is not and more than likely will not be supported.
  • ECDH is not yet supported by PolarSSL.

License

The changes added by nginx-polarssl are distrubuted under the nginx license (Also see https://polarssl.org/foss-license-exception and https://twitter.com/polarssl/status/302083038261678080).