grahamedgecombe/nginx-ct grahamedgecombe/nginx-ct

  • Stars
    star
    174
  • Rank 217,787 (Top 5 %)
  • Language
    C
  • License
    ISC License
  • Created over 9 years ago
  • Updated almost 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
grahamedgecombe/nginx-ct
github

grahamedgecombe

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Certificate Transparency module for nginx.

nginx Certificate Transparency module

Introduction

This module adds support for the TLS signed_certificate_timestamp extension to nginx, which is one of the mechanisms supported by Google's Certificate Transparency project to deliver Signed Certificate Timestamps to TLS clients.

Building

Add --add-module=/path/to/nginx-ct to the nginx ./configure invocation.

If you are using nginx 1.9.11 or above, you can use --add-dynamic-module=/path/to/nginx-ct to build as a dynamic module.

The following versions of OpenSSL are supported:

  • OpenSSL 1.0.2 or above.
  • BoringSSL 4fac72e or above.

LibreSSL is not supported as it doesn't provide either of the functions used to add the signed_certificate_timestamp extension to the response (SSL_CTX_add_server_custom_ext and SSL_CTX_set_signed_cert_timestamp_list).

OpenSSL versions between 1.1.0 and 1.1.0e inclusive contain a bug that prevents this module from working with non-default_server server blocks. The bug is fixed in OpenSSL 1.1.0f.

Configuration

If built as a dynamic module, add the following directives to the top level of your configuration file:

load_module modules/ngx_ssl_ct_module.so;
load_module modules/ngx_http_ssl_ct_module.so;

You can also load ngx_mail_ssl_ct_module.so and ngx_stream_ssl_ct_module.so if you need mail or stream support.

Add the following directives, which are valid in http, mail, stream and server blocks, to your configuration file:

ssl_ct on;
ssl_ct_static_scts /path/to/sct/dir;

The module will read all *.sct files in the given directory, which are expected to be encoded in binary (see the definition of SignedCertificateTimestamp struct in section 3.2 of RFC 6962). This is the same format used by Apache's mod_ssl_ct module.

The module is compatible with nginx's multiple certificate support if you are using nginx 1.11.0 or above and are not using BoringSSL. Exactly one ssl_ct_static_scts directive must be specified for each ssl_certificate directive:

ssl_ct on;

ssl_certificate /path/to/rsa.pem;
ssl_certificate_key /path/to/rsa.key;
ssl_ct_static_scts /path/to/rsa/scts;

ssl_certificate /path/to/ecdsa.pem;
ssl_certificate_key /path/to/ecdsa.key;
ssl_ct_static_scts /path/to/ecdsa/scts;

ct-submit can be used to submit certificates to log servers and encode the SignedCertificateTimestamp struct in the appropriate format for use with this module.

License

This project is available under the terms of the ISC license, which is similar to the 2-clause BSD license. See the LICENSE file for the copyright information and licensing terms.

More Repositories

1

icicle

32-bit RISC-V system on chip for iCE40 FPGAs
Python
291
star
2

ct-submit

A program for submitting X.509 certificate chains to Certificate Transparency log servers.
Go
75
star
3

lightstone

An open-source implementation of the Minecraft server software.
Java
73
star
4

arc

A toy x86-64 kernel.
C
52
star
5

tiny-basic-compiler

A simple Tiny BASIC compiler which targets x86-64 Linux machines.
Java
49
star
6

pgzstd

Postgres module for Zstandard compression/decompression with preset dictionary support
C
37
star
7

jterminal

JTerminal is a (roughly) VT100-compatible terminal emulator for Swing-based Java applications.
Java
34
star
8

netty-sni-example

An example of how to use server-side SNI in Netty with Java 8.
Java
20
star
9

android-ssl

Android SSL certificate validation vulnerability detection tools.
Java
19
star
10

minecraft-installer

A Debian package which installs the Minecraft client and server.
Groff
18
star
11

lancat

Zero-configuration LAN file transfer.
Ruby
14
star
12

apiviz

A fork of APIviz with out of the box support for classes compiled with Java 8.
Java
10
star
13

picosoc-uip

uIP 0.9 PicoSoC/PicoRV32 port
C
8
star
14

ssh-ldap-publickey

A program for looking up SSH public keys with LDAP.
C
7
star
15

pgflate

PostgreSQL module for raw DEFLATE compression/decompression with preset dictionary support
C
7
star
16

db

A thin layer on top of the JDBC API that takes care of awkward boilerplate code.
Java
7
star
17

advent-2021

Advent of Code 2021 solutions
Kotlin
6
star
18

lasertag

An electronic laser tag system based on AVR microcontrollers.
C
5
star
19

ignition

Static pages for Rails 4.
Ruby
5
star
20

opencraft

A mirror of the OpenCraft repository, which was originally hosted as a Subversion repository on SourceForge.
Java
4
star
21

advent-2020

Advent of Code 2020 solutions
Kotlin
2
star
22

tnef-filter

Automatically convert TNEF (winmail.dat) attachments into MIME format
Perl
2
star
23

pdf-decrypt-filter

Automatically decrypt PDF attachments in emails
Perl
2
star
24

puppet-git-catalog

Submodule-aware Git-managed static Puppet catalogs
C
2
star
25

advent-2023

Advent of Code 2023 solutions
Kotlin
1
star
26

pragpub-mailer

Email PragPub automatically to a Kindle.
Shell
1
star