Text|Yang Yang (flower name: Kai Shen)
Senior Technical Expert of Ant Group
Responsible for cryptography engineering capacity building and BabaSSL open source community building
This article is 2366 words read 5 minutes
Recently, the famous domestic web server and reverse proxy open source software Tengine BabaSSL completed the adaptation BabaSSL
Tengine adapts the special API provided by BabaSSL and adds support for NTLS related capabilities.
"Please see the detailed Pull Request": https://github.com/alibaba/tengine/pull/1595
So far, users who need to use the relevant security communication protocols in my country's cryptographic industry can directly use the combination of Tengine + BabaSSL. There is no need for additional patches or code changes, which further improves the convenience from the perspective of users.
PART. 1 NTLS
At present, there are two main technical standards related to communication protocols in my country's cryptographic industry. One is the TLCP protocol, which is the Transport Layer Cryptographic Protocol, released by the Confidential Standard Commission in 2020; the other is GM/T 0024 "SSL VPN Technical Specifications" (hereinafter referred to as 0024) published by the Confidential Standard Commission in 2012.
The specific content of TLCP and 0024 is not much different. They are both developed from the TLS protocol. Their main feature is that the commercial cryptographic algorithms SM2, SM3 and SM4 are applied to the TLS protocol, and the SM2 key exchange mechanism is used to replace TLS. The original key exchange process of the protocol.
Another notable feature of TLCP and 0024 is that the digital certificate used in the TLS protocol is split into certificates for encryption and signature purposes. The encryption certificate, signature certificate and the corresponding private key need to be configured and used, so TLCP and 0024 are also commonly known as "National Secret Double Certificate" agreement.
BabaSSL supports the above-mentioned national secret dual certificate protocol, and is collectively referred to as NTLS.
The full name of NTLS is National TLS, which is the Transport Layer Security Protocol approved by my country, so it can also be called National Secret TLS.
It can be seen that NTLS does not refer to a specific network protocol that meets the requirements of commercial cryptography-related technical standards, but a general term for multiple protocols. In BabaSSL, it refers to TLCP and 0024 national secret double certificate protocol. Because NTLS and standard TLS protocol work differently, some new APIs have been added to BabaSSL to support it. If an application wants to use the NTLS function, it needs to call these new APIs, which brings additional development workload to the existing OpenSSL API-based application.
PART. 2 Tengine + BabaSSL
Tengine is a web server project initiated by Taobao. On the basis of Nginx, it adds many advanced functions and features to meet the needs of high-traffic websites.
The performance and stability of Tengine have been well tested on large websites (such as Taobao, Tmall, etc.). Its ultimate goal is to create an efficient, stable, secure, and easy-to-use Web platform.
As a well-known open source Web server software in China, Tengine has been widely used in various fields and enjoys a high reputation.
BabaSSL is a lightweight, flexible and reliable cryptography and TLS protocol toolset. BabaSSL is the underlying cryptographic library used in the main businesses of Ant Group and Alibaba Group, and is currently open sourced for the industry to use. BabaSSL is widely used in scenarios including networking, storage, and mobile apps.
Tengine comes from Nginx, so OpenSSL is used by default. This time, Tengine is adapted to the NTLS function in BabaSSL. If users choose to use BabaSSL as the underlying cryptographic library of Tengine to realize the ability of communication encryption, they can enable NTLS capability natively without any code changes to Tengine.
PART. 3 Tengine enable NTLS
Specifically, several new instructions have been added to Tengine this time to support NTLS.
1. Download BabaSSL and Tengine
- Go to👇 to download the source code package of BabaSSL:
https://github.com/BabaSSL/BabaSSL/releases
- Go to 👇 to get the latest code for Tengine:
「git clone」
https://github.com/alibaba/tengine.git
2. Compile BabaSSL and Tengine
Use the following configuration:
./configure --add-module=modules/ngx_openssl_ntls \
--with-openssl=../path/to/BabaSSL \
--with-openssl-opt="--strict-warnings enable-ntls" \
--with-http_ssl_module --with-stream \
--with-stream_ssl_module --with-stream_sni3. Configure Tengine to enable NTLS
An example of a Tengine configuration file with NTLS enabled:
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
server {
listen 443 ssl;
server_name localhost;
enable_ntls on;
ssl_sign_certificate server_sign.crt;
ssl_sign_certificate_key server_sign.key;
ssl_enc_certificate server_enc.crt;
ssl_enc_certificate_key server_enc.key;
location / {
return 200 "body $ssl_protocol:$ssl_cipher";
}
}
}
stream {
server {
listen 8443 ssl;
enable_ntls on;
ssl_sign_certificate server_sign.crt;
ssl_sign_certificate_key server_sign.key;
ssl_enc_certificate server_enc.crt;
ssl_enc_certificate_key server_enc.key;
return "body $ssl_protocol:$ssl_cipher";
}
}4. Test NTLS
Tengine with NTLS enabled can be tested using BabaSSL's s_client tool.
"Specific reference":
https://babassl.readthedocs.io/zh/latest/Tutorial/SM/ntls/
PART. 4 Summary
With the development of Internet business, in the new era, data has become the core element that affects people's normal life.
Therefore, issues such as data security and personal information protection have become more important, and the country has recently adopted relevant legislation in the field of data security.
As the basic technical capability of the entire information security field, cryptography technology also has a great impact on data security. At the same time, the cryptographic industry is an industry subject to strong national supervision, and the application and implementation of its related technologies have certain particularities.
As an open source cryptographic library, one of the core goals of BabaSSL is to provide users with compliant technical capabilities, so that users can more easily apply the technical standards approved by the state when they meet the requirements. In order to meet the requirements of technical compliance, it also achieves the need for data security.
As a well-known open source software for web server and reverse proxy in China, Tengine is widely used in various industries in China. It is also the key open source software for data encryption in the field of network communication. This time, Tengine officially adapts and supports BabaSSL, allowing users to use the commercial cryptographic capabilities provided by BabaSSL more conveniently, and will further expand the application of commercial cryptographic algorithms in various industries.
BabaSSL will continue to evolve in the direction of technical compliance and cutting-edge cryptography in the future, bringing users an efficient, easy-to-use, secure and stable cryptography basic library.
The code for BabaSSL is currently hosted on Github: https://github.com/BabaSSL/BabaSSL
Developers are welcome to actively participate in the construction of BabaSSL and contribute to the development and growth of my country's cryptographic industry!
Recommended reading of the week
TLS handshake bandwidth dropped by 80%, how did
RFC8998+BabaSSL---Let the national secret sail to the farther sea of stars
Still worrying about multi-cluster management? OCM is here!
line of code to reduce carbon emissions by 100,000kg!
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。