nginx

nginx-ct (link to nginx-ct documentation) supports serving SCTs as part of the TLS handshake during HTTPS connections.  At time of writing (2015-05-14) we were able to make this work in version 1.9.0.

Disclaimer: the following is not intended to show best (or even good) practices for configuration of openssl or nginx, but rather to document a reproducible set of instructions that work to demonstrate the module successfully returning SCTs during the TLS handshake.

For the purposes of this example, we started with a new virtual machine created in Google Compute Engine with the "ubuntu-1504-vivid-v20150422" image.

# Install dependencies
sudo apt-get install unzip gcc libpcre3-dev zlib1g-dev make golang-go

# Grab needed files, correct as of 2015-05-08
wget https://www.openssl.org/source/openssl-1.0.2a.tar.gz
wget http://nginx.org/download/nginx-1.9.0.tar.gz
wget -O nginx-ct.zip https://github.com/grahamedgecombe/nginx-ct/archive/master.zip
tar zxf openssl-1.0.2a.tar.gz
tar zxf nginx-1.9.0.tar.gz
unzip nginx-ct.zip

# Build nginx with openssl 1.0.2 and CT module
cd nginx-1.9.0/
./configure --with-http_ssl_module \
    --with-openssl=`realpath ../openssl-1.0.2a` \
    --add-module=`realpath ../nginx-ct-master`
make  # NOTE: when I tried building with -jN for speedup I encountered linker issues
sudo make install
cd ..

# Create standard SSL configuration
sudo mkdir /usr/local/nginx/conf/ssl
sudo sh -c """echo '''-----BEGIN PRIVATE KEY-----
... your private key ...
-----END PRIVATE KEY-----''' >/usr/local/nginx/conf/ssl/server.key"""

sudo sh -c """echo '''-----BEGIN CERTIFICATE-----
… your certificate ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
… append zero or more intermediate certs in order ...
-----END CERTIFICATE-----''' >/usr/local/nginx/conf/ssl/server.crt-bundle"""


# Create directory to include static SCTs
sudo mkdir /usr/local/nginx/conf/ssl/scts

# Grab a tool to submit certificates to log servers
wget -O ct-submit.zip https://github.com/grahamedgecombe/ct-submit/archive/master.zip
unzip ct-submit.zip
cd ct-submit-master/
go build

# Submit your cert chain to logs as appropriate, and write out SCTs:
sudo sh -c "./ct-submit-master ct.googleapis.com/aviator \
  </usr/local/nginx/conf/ssl/server.crt-bundle \
  >/usr/local/nginx/conf/ssl/scts/aviator.sct"
sudo sh -c "./ct-submit-master ct.googleapis.com/pilot \
  </usr/local/nginx/conf/ssl/server.crt-bundle \
  >/usr/local/nginx/conf/ssl/scts/pilot.sct"
sudo sh -c "./ct-submit-master ct.googleapis.com/rocketeer \
  </usr/local/nginx/conf/ssl/server.crt-bundle \
  >/usr/local/nginx/conf/ssl/scts/rocketeer.sct"
sudo sh -c "./ct-submit-master ct1.digicert-ct.com/log \
  </usr/local/nginx/conf/ssl/server.crt-bundle \
  >/usr/local/nginx/conf/ssl/scts/digicert.sct"
sudo sh -c "./ct-submit-master ct.izenpe.com \
  </usr/local/nginx/conf/ssl/server.crt-bundle \
  >/usr/local/nginx/conf/ssl/scts/izenpe.sct"
sudo sh -c "./ct-submit-master log.certly.io \
  </usr/local/nginx/conf/ssl/server.crt-bundle \
  >/usr/local/nginx/conf/ssl/scts/certly.sct"

# Write a minimal nginx config to serve:
sudo sh -c """echo '''events {}

http {
server {
listen 443;

ssl on;
ssl_certificate /usr/local/nginx/conf/ssl/server.crt-bundle;
ssl_certificate_key /usr/local/nginx/conf/ssl/server.key;

ssl_ct on;
ssl_ct_static_scts /usr/local/nginx/conf/ssl/scts;
}
}''' > /usr/local/nginx/conf/nginx.conf"""

# Start server and test
sudo /usr/local/nginx/sbin/nginx
Comments