Name | Date | Size | #Lines | LOC | ||
---|---|---|---|---|---|---|
.. | 03-May-2022 | - | ||||
CHANGELOG.markdown | H A D | 30-Nov-2016 | 557 | 26 | 14 | |
LICENSE | H A D | 30-Nov-2016 | 765 | 14 | 11 | |
README.markdown | H A D | 30-Nov-2016 | 2.9 KiB | 83 | 59 | |
config | H A D | 30-Nov-2016 | 3.8 KiB | 98 | 84 | |
ngx_http_ssl_ct_module.c | H A D | 30-Nov-2016 | 3.3 KiB | 92 | 63 | |
ngx_mail_ssl_ct_module.c | H A D | 30-Nov-2016 | 3 KiB | 88 | 60 | |
ngx_ssl_ct_module.c | H A D | 03-May-2022 | 11.8 KiB | 414 | 307 | |
ngx_ssl_ct_module.h | H A D | 30-Nov-2016 | 1.7 KiB | 50 | 27 | |
ngx_stream_ssl_ct_module.c | H A D | 30-Nov-2016 | 3.2 KiB | 91 | 63 |
README.markdown
1nginx Certificate Transparency module 2===================================== 3 4Introduction 5------------ 6 7This module adds support for the TLS `signed_certificate_timestamp` extension to 8nginx, which is one of the mechanisms supported by Google's 9[Certificate Transparency][ct] project to deliver Signed Certificate Timestamps 10to TLS clients. 11 12Building 13-------- 14 15Add `--add-module=/path/to/nginx-ct` to the nginx `./configure` invocation. 16 17If you are using nginx 1.9.11 or above, you can use 18`--add-dynamic-module=/path/to/nginx-ct` to build as a dynamic module. 19 20The following versions of OpenSSL are supported: 21 22* OpenSSL 1.0.2 or above. 23* BoringSSL [4fac72e][boringssl] or above. 24 25LibreSSL is **not** supported as it doesn't provide either of the functions used 26to add the `signed_certificate_timestamp` extension to the response 27(`SSL_CTX_add_server_custom_ext` and `SSL_CTX_set_signed_cert_timestamp_list`). 28 29Configuration 30------------- 31 32If built as a dynamic module, add the following directives to the top level of 33your configuration file: 34 35 load_module modules/ngx_ssl_ct_module.so; 36 load_module modules/ngx_http_ssl_ct_module.so; 37 38You can also load `ngx_mail_ssl_ct_module.so` and `ngx_stream_ssl_ct_module.so` 39if you need `mail` or `stream` support. 40 41Add the following directives, which are valid in `http`, `mail`, `stream` and 42`server` blocks, to your configuration file: 43 44 ssl_ct on; 45 ssl_ct_static_scts /path/to/sct/dir; 46 47The module will read all `*.sct` files in the given directory, which are 48expected to be encoded in binary (see the definition of 49`SignedCertificateTimestamp` struct in [section 3.2 of RFC 6962][rfc]). This is 50the same format used by Apache's [mod\_ssl\_ct][apache] module. 51 52The module is compatible with nginx's multiple certificate support if you are 53using nginx 1.11.0 or above and are not using BoringSSL. Exactly one 54`ssl_ct_static_scts` directive must be specified for each `ssl_certificate` 55directive: 56 57 ssl_ct on; 58 59 ssl_certificate /path/to/rsa.pem; 60 ssl_certificate_key /path/to/rsa.key; 61 ssl_ct_static_scts /path/to/rsa/scts; 62 63 ssl_certificate /path/to/ecdsa.pem; 64 ssl_certificate_key /path/to/ecdsa.key; 65 ssl_ct_static_scts /path/to/ecdsa/scts; 66 67[ct-submit][ct-submit] can be used to submit certificates to log servers and 68encode the `SignedCertificateTimestamp` struct in the appropriate format for use 69with this module. 70 71License 72------- 73 74This project is available under the terms of the ISC license, which is similar 75to the 2-clause BSD license. See the `LICENSE` file for the copyright 76information and licensing terms. 77 78[ct]: http://www.certificate-transparency.org/ 79[rfc]: https://tools.ietf.org/html/rfc6962#section-3.2 80[apache]: https://httpd.apache.org/docs/trunk/mod/mod_ssl_ct.html 81[ct-submit]: https://github.com/grahamedgecombe/ct-submit 82[boringssl]: https://boringssl.googlesource.com/boringssl/+/4fac72e638c896c9fa30f5c6cd2fd7246f28f49e%5E!/ 83