nginx Certificate Transparency module
Introduction
This module adds support for the TLS signed_certificate_timestamp
extension to
nginx, which is one of the mechanisms supported by Google's
Certificate Transparency project to deliver Signed Certificate Timestamps
to TLS clients.
Building
Add --add-module=/path/to/nginx-ct
to the nginx ./configure
invocation.
If you are using nginx 1.9.11 or above, you can use
--add-dynamic-module=/path/to/nginx-ct
to build as a dynamic module.
The following versions of OpenSSL are supported:
- OpenSSL 1.0.2 or above.
- BoringSSL 4fac72e or above.
LibreSSL is not supported as it doesn't provide either of the functions used
to add the signed_certificate_timestamp
extension to the response
(SSL_CTX_add_server_custom_ext
and SSL_CTX_set_signed_cert_timestamp_list
).
OpenSSL versions between 1.1.0 and 1.1.0e inclusive contain a bug
that prevents this module from working with non-default_server
server
blocks. The bug is fixed in OpenSSL 1.1.0f.
Configuration
If built as a dynamic module, add the following directives to the top level of your configuration file:
load_module modules/ngx_ssl_ct_module.so;
load_module modules/ngx_http_ssl_ct_module.so;
You can also load ngx_mail_ssl_ct_module.so
and ngx_stream_ssl_ct_module.so
if you need mail
or stream
support.
Add the following directives, which are valid in http
, mail
, stream
and
server
blocks, to your configuration file:
ssl_ct on;
ssl_ct_static_scts /path/to/sct/dir;
The module will read all *.sct
files in the given directory, which are
expected to be encoded in binary (see the definition of
SignedCertificateTimestamp
struct in section 3.2 of RFC 6962). This is
the same format used by Apache's mod_ssl_ct module.
The module is compatible with nginx's multiple certificate support if you are
using nginx 1.11.0 or above and are not using BoringSSL. Exactly one
ssl_ct_static_scts
directive must be specified for each ssl_certificate
directive:
ssl_ct on;
ssl_certificate /path/to/rsa.pem;
ssl_certificate_key /path/to/rsa.key;
ssl_ct_static_scts /path/to/rsa/scts;
ssl_certificate /path/to/ecdsa.pem;
ssl_certificate_key /path/to/ecdsa.key;
ssl_ct_static_scts /path/to/ecdsa/scts;
ct-submit can be used to submit certificates to log servers and
encode the SignedCertificateTimestamp
struct in the appropriate format for use
with this module.
License
This project is available under the terms of the ISC license, which is similar
to the 2-clause BSD license. See the LICENSE
file for the copyright
information and licensing terms.