Comments (4)
ac000
commented on July 26, 2024
1
It looks like the idea was to support TLS libraries other than OpenSSL,
see; src/nxt_gnutls.c, src/nxt_cyassl.c & src/nxt_polarssl.c,
however it seems this work was never fully realised.
I've never really looked at the TLS code specifically, so this is just
my current findings.
It looks like the TLS interface is abstracted out, in
src/nxt_openssl.c we have
const nxt_tls_lib_t nxt_openssl_lib = {
.library_init = nxt_openssl_library_init,
.library_free = nxt_openssl_library_free,
.server_init = nxt_openssl_server_init,
.server_free = nxt_openssl_server_free,
};
static nxt_conn_io_t nxt_openssl_conn_io = {
.read = nxt_conn_io_read,
.recvbuf = nxt_openssl_conn_io_recvbuf,
.write = nxt_conn_io_write,
.sendbuf = nxt_openssl_conn_io_sendbuf,
.shutdown = nxt_openssl_conn_io_shutdown,
};The existing alternate TLS APIs are not implementing this interface.
They were all introduced in the initial commit of Unit and haven't seen
any meaningful work since then, it's possible they just came along from
nginx.
Anyway at the very least in order to support your TLS library of choice
you'd need to write an API on top of it implementing the above
functions.
from unit.
ac000
commented on July 26, 2024
Hi,
AFAICT Unit really only supports OpenSSL.
For example the other TLS implementations do something like
const nxt_ssltls_lib_t nxt_gnutls_lib = {
nxt_gnutls_server_init,
NULL,
};nxt_ssltls_lib_t is not defined anywhere.
If I ./configure --gnutls
checking for GnuTLS library ... found
+ GnuTLS version: 3.8.4
checking for gnutls_transport_set_vec_push_function ... found
checking for gnutls_global_set_time_function ... found
OK, good.
TLS support: ............... NO
Not so godd...
CC build/src/nxt_cert.o
src/nxt_cert.c: In function ‘nxt_cert_mem’:
src/nxt_cert.c:65:9: error: implicit declaration of function ‘nxt_openssl_log_error’; did you mean ‘nxt_main_log_error’? [-Werror=implicit-function-declaration]
65 | nxt_openssl_log_error(task, NXT_LOG_ALERT, "BIO_new_mem_buf() failed");
| ^~~~~~~~~~~~~~~~~~~~~
| nxt_main_log_error
cc1: all warnings being treated as errors
Oh dear...
If I ./configure --gnutls --openssl # because who knows?!
checking for GnuTLS library ... found
+ GnuTLS version: 3.8.4
checking for gnutls_transport_set_vec_push_function ... found
checking for gnutls_global_set_time_function ... found
...
TLS support: ............... YES
Better I guess...
CC build/src/nxt_gnutls.o
src/nxt_gnutls.c:31:41: error: unknown type name ‘nxt_ssltls_conf_t’; did you mean ‘nxt_tls_conf_t’?
31 | static nxt_int_t nxt_gnutls_server_init(nxt_ssltls_conf_t *conf);
| ^~~~~~~~~~~~~~~~~
| nxt_tls_conf_t
src/nxt_gnutls.c:32:41: error: unknown type name ‘nxt_ssltls_conf_t’; did you mean ‘nxt_tls_conf_t’?
32 | static nxt_int_t nxt_gnutls_set_ciphers(nxt_ssltls_conf_t *conf);
| ^~~~~~~~~~~~~~~~~
| nxt_tls_conf_t
src/nxt_gnutls.c:34:53: error: unknown type name ‘nxt_ssltls_conf_t’; did you mean ‘nxt_tls_conf_t’?
34 | static void nxt_gnutls_conn_init(nxt_thread_t *thr, nxt_ssltls_conf_t *conf,
| ^~~~~~~~~~~~~~~~~
| nxt_tls_conf_t
and on and on...
from unit.
rock59
commented on July 26, 2024
@ac000 Thank you for your response
I used s2n-tls in one of my projects and I am very satisfied with the functionality and simplicity of s2n-tls. I am very interested in using s2n-tls in Unit, but I don't know enough about the internals of Unit. Does anyone know if Unit supports switching between different TLS libraries at startup time?
from unit.
rock59
commented on July 26, 2024
@ac000 Thanks
from unit.
Related Issues (20)
- Unit fails to build against njs 0.8.2 and libxml2 2.12, or njs 0.8.3 HOT 3
- ./configure: error: no PHP embed SAPI found when there is no libphp.so HOT 10
- Issue with creating files and folders from PHP HOT 3
- WebsocketConnection WebSocket onerror while trying nginx htpasswd protection HOT 1
- Using `vars` multiple times in `access_log.format` does not work correctly with njs HOT 3
- App process XXXX exited on signal 7 HOT 1
- Broken stdout and stderr logging in Amazon Linux HOT 4
- Application restart breaks WebAssembly Components HOT 8
- How to pass $request_id to my application?
- Support for modifying request headers HOT 3
- Ability to read mounted configuration file HOT 5
- Very hard to run .sh scripts from within Flask app HOT 2
- Consider updating containers to bookworm base image HOT 3
- Issue with WAR in unit-jsc11 HOT 6
- OpenSSL 3.2.1 breaks TLS related pytests HOT 4
- Module `wasm-wasi-component` is not found among available application modules HOT 3
- Cant install npm package `unit-http`, "libunit version mismatch" HOT 5
- Add WebSocket support for `ws` moudle in `unit-http`
- Bug: Proxy validation HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from unit.