Post-Quantum NGINX Deployment

Open source implementation of quantum-resistant encryption algorithms for modular TLS communication

• Components
• Overview
• Quick Start
  • Local Environment Setup
  • TLS Demo

Components

Quantum-Resistant Library/TLS Protocol

• liboqs
• openssl-liboqs fork
• openssl-1.1.1

NGINX Build

• NGINX-1.20.0 open source

Overview

Quick Start

Local Environment Setup

Note:

• ./configure commands followed by indented parameters (ex: ./configure --prefix=/usr/local) are all one-line commands
• All installation paths are assuming install directory is /usr/local

1. Update package manager

    apt-get update
   

2. Install Dependencies and Compiler

    apt-get install -y gcc build-essential libpcre3 libpcre3-dev zlib1g zlib1g-dev libssl-dev libgd-dev \
      libxml2 libxml2-dev uuid-dev astyle doxygen zlib1g zlib1g-dev libperl-dev wget make git autoconf \
      automake unzip patch virtualenv docker-compose jq libunwind-dev pkg-config python3 python3-pip python3-psutil
   

3. Install PCRE

    wget https://github.com/PhilipHazel/pcre2/releases/download/pcre2-10.39/pcre2-10.39.tar.gz
    tar -xzf pcre2-10.39.tar.gz
    cd pcre2-10.39
    ./configure
    make
    make install
   

4. Install zlib

    wget http://zlib.net/zlib-1.2.12.tar.gz
    tar -xzf zlib-1.2.12.tar.gz
    cd zlib-1.2.12
    ./configure
    make
    make install
   

5. Install OpenSSL

    wget http://www.openssl.org/source/openssl-1.1.1g.tar.gz
    tar -xzf openssl-1.1.1g.tar.gz
    cd openssl-1.1.1g
    ./config
    make
    make install
   

6. Install OQS-OpenSSL Fork (with liboqs)

    git clone --branch OQS-OpenSSL_1_1_1-stable https://github.com/open-quantum-safe/openssl.git
    git clone --branch main https://github.com/open-quantum-safe/liboqs.git
    cd liboqs
    mkdir build && cd build
    cmake -GNinja -DCMAKE_INSTALL_PREFIX=/usr/local/openssl/oqs ..
    ninja
    ninja install
    cd /usr/local/openssl
    ./config --openssldir=/usr/local/ssl
    make
   

7. Install NGINX Stable From Source (currently using stable 1.20.0)

    wget http://nginx.org/download/nginx-1.20.0.tar.gz 
    tar -xzf nginx-1.20.0.tar.gz
    cd nginx-1.20.0
    ./configure \
        --prefix=/usr/local/nginx \
        --sbin-path=/usr/sbin/nginx \
        --with-debug \
        --with-pcre \
        --with-zlib=/usr/local/zlib-1.2.12 \
        --without-http_gzip_module \
        --with-http_stub_status_module \
        --with-http_ssl_module \
        --modules-path=/etc/nginx/modules \
        --with-cc-opt="-I/usr/local/openssl/oqs/include" \
        --with-ld-opt="-L/usr/local/openssl/oqs/lib"
    sed -i "s/libcrypto.a/libcrypto.a -loqs/g" objs/Makefile
    make
    make install
   

8. Verify Installation

    nginx -V
   

TLS Demo

Startup TLS Server:

Open one terminal and run the following command:

./init.sh

The following commands will be run by the shell script:

sudo docker build -t tls-test-img .
sudo docker network create test_net
sudo docker run --network test_net --name tls-test-img -p 4433:4433 tls-test-img

Query TLS Server:

In a second terminal, run the following command:

./query.sh

The following command retrieves the curl image enabled with quantum-safe crypto operations. It can be used to retrieve data from any OQS-enabled TLS1.3 server as follows:

sudo docker run --network test_net -it openquantumsafe/curl curl -k https://tls-test-img:4433 -e SIG_ALG=dilithium3

Terminate TLS Server:

In a second terminal, run the following command:

./kill.sh

The following commands will be run by the shell script:

sudo docker kill tls-test-img
sudo docker container prune -f
sudo docker network prune -f