Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL: Add optional custom extension parsing. #1

Open
wants to merge 8 commits into
base: develop
Choose a base branch
from
Open

SSL: Add optional custom extension parsing. #1

wants to merge 8 commits into from

Conversation

sorooshm78
Copy link

Add SSL command for extract TLS custom extension and use as variable in nginx.conf

ssl_custom_extension <custom-extension-type> <variable-name>

then client send TLS request with extension , nginx parse value of extension into variable name then use variable in nginx config

Example:
nginx.conf

http {
  server {
    listen 443 ssl;
    server_name _;

    ssl_certificate server.crt;
    ssl_certificate_key server.key;
    ssl_custom_extension 1000 custom_extenstion;

    location / {
      add_header X-tls-custom-extension $custom_extenstion;

      root        /usr/local/nginx/html/;
      index       index.html;
    }
  }
}

Request

Extension: Unknown type 1000 (len=7)
    Type: Unknown (1000)
    Length: 7
    Data: Soroush

Response

Bytes: 361                                                                                              
Received: HTTP/1.1 200 OK                                                                               
Server: nginx/1.27.2                                                                                    
Date: Sat, 14 Sep 2024 11:26:18 GMT                                                                     
Content-Type: text/html                                                                                 
Content-Length: 97                                                                                     
Last-Modified: Sun, 01 Sep 2024 06:40:46 GMT                                                           
Connection: close                                                                                     
ETag: "66d40c6e-61"                                                                                   
X-tls-custom-extension: Soroush                                                                    
Accept-Ranges: bytes

@siadatism siadatism changed the title Add ssl custom extension command SSL: Add optional custom extension parsing. Sep 28, 2024
@sorooshm78
Copy link
Author

Description:

This pull request adds functionality to NGINX for extracting a custom TLS extension during the TLS handshake and utilizing its value as a variable within the NGINX configuration (nginx.conf). The custom extension is identified by its extension_type, and NGINX is modified to capture and process the extension_data provided in the client’s ClientHello message. The implementation includes modifications to the NGINX SSL module to recognize and extract the custom extension, storing its value in a specified variable, which can then be referenced in the NGINX configuration.

Key Features:

  • SSL command: A new ssl_custom_extension command is introduced to define the custom extension type and map it to a variable. 
    ssl_custom_extension <custom-extension-type> <variable-name>
  • NGINX configuration: The value extracted from the custom extension is stored in the specified variable, which can be referenced and used in NGINX configuration directives, such as adding headers.

Example:

NGINX configuration (nginx.conf):

http {
  server {
    listen 443 ssl;
    server_name _;

    ssl_certificate server.crt;
    ssl_certificate_key server.key;
    ssl_custom_extension 1000 custom_extension;

    location / {
      add_header X-tls-custom-extension $custom_extension;

      root /usr/local/nginx/html/;
      index index.html;
    }
  }
}

Request with TLS Custom Extension (Type: 1000):

Extension: Unknown type 1000 (len=7)
    Type: Unknown (1000)
    Length: 7
    Data: Soroush

Response:

Bytes: 361
Received: HTTP/1.1 200 OK
Server: nginx/1.27.2
Date: Sat, 14 Sep 2024 11:26:18 GMT
Content-Type: text/html
Content-Length: 97
Last-Modified: Sun, 01 Sep 2024 06:40:46 GMT
Connection: close
ETag: "66d40c6e-61"
X-tls-custom-extension: Soroush
Accept-Ranges: bytes

RFC Reference:

This implementation adheres to the guidelines from RFC 8446 (TLS 1.3) to ensure the secure and optional use of custom TLS extensions.

sorooshm78 and others added 5 commits October 1, 2024 23:35
@sorooshm78
Merge branch 'master' into Feature/1-ssl-custom-extension
d94a7f9
@sorooshm78
Merge branch 'master' into Feature/1-ssl-custom-extension
a404924
@pluknet
Version bump.
144778a
@nandsky @arut
QUIC: prevent deleted stream frame retransmissions.
3f6d94d 
Since a2a513b, stream frames no longer need to be retransmitted after it
was deleted.  The frames which were retransmitted before, could be stream data
frames sent prior to a RESET_STREAM. Such retransmissions are explicitly
prohibited by RFC 9000, Section 19.4.
@sorooshm78
Merge branch 'master' into Feature/1-ssl-custom-extension
0283624
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sorooshm78 @pluknet @nandsky