#2503 closed defect (invalid)
Unable to build nginx quic
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | critical | Milestone: | nginx-1.26 |
| Component: | http/3 | Version: | 1.19.x |
| Keywords: | nginx quic http/3 | Cc: | Karthikdasari0423@… |
| uname -a: | Linux ubuntu 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 3.0.2 15 Mar 2022 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-d8gVax/nginx-1.18.0=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --add-dynamic-module=/build/nginx-d8gVax/nginx-1.18.0/debian/modules/http-geoip2 --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module |
||
Description
I am trying to build nginx quic with nginx version as release-1.25.0 but facing below error
src/os/unix/ngx_thread_mutex.c
cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -I/src/boringssl/include -I src/core -I src/event -I src/event/modules -I src/event/quic -I src/os/unix -I objs \
-o objs/src/os/unix/ngx_thread_id.o \
src/os/unix/ngx_thread_id.c
cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -I/src/boringssl/include -I src/core -I src/event -I src/event/modules -I src/event/quic -I src/os/unix -I objs \
-o objs/src/event/ngx_event_openssl.o \
src/event/ngx_event_openssl.c
src/event/ngx_event_openssl.c: In function ‘ngx_ssl_get_curve’:
src/event/ngx_event_openssl.c:5110:20: error: ‘TLSEXT_nid_unknown’ undeclared (first use in this function)
5110 | if ((nid & TLSEXT_nid_unknown) == 0) {
|
~
src/event/ngx_event_openssl.c:5110:20: note: each undeclared identifier is reported only once for each function it appears in
make[1]: * [objs/Makefile:999: objs/src/event/ngx_event_openssl.o] Error 1
make[1]: Leaving directory '/src/nginx-quic'
make: * [Makefile:10: build] Error 2
root@ubuntu:/src/nginx-quic#
Could you please confirm is this known issue or am i missing anything?
Commands i ran
cd /src/nginx-quic/
auto/configure nginx -V 2>&1 | sed "s/ \-\-/ \\\ \n\t--/g" | grep -v -e 'http-geoip2' | grep "\-\-" | grep -ve opt= -e param= -e build= --build=nginx-quic --with-debug --with-http_v3_module --with-cc-opt="-I/src/boringssl/include" --with-ld-opt="-L/src/boringssl/build/ssl -L/src/boringssl/build/crypto"
make
Change History (12)
follow-up: 3 comment:1 by , 12 months ago
comment:2 by , 12 months ago
Just a small update
i tried with the old commit(https://github.com/google/boringssl/commit/2da5ba91205f9f3cbb423064e11c165580307f82) and nginx is fine
with latest boringssl facing the issue
follow-up: 4 comment:3 by , 12 months ago
Replying to Karthikdasari0423@…:
i believe this is the commit causing the issue
https://boringssl.googlesource.com/boringssl/+/6cf98208371e5c2c8b9d34ce3b8c452ea90e2963
That's true. This commit caused build to fail with BoringSSL.
The reason is that SSL_get_negotiation_group, as documented in OpenSSL, may return TLSEXT_nid_unknown for unknown groups. This seems to be a non-sense, but still we have to comply.
BoringSSL added this function in the recent days, and corresponding nginx code now builds with it. BoringSSL is going smarter, it doesn't use TLSEXT_nid_unknown, so it was not added there. Well, it was there long ago, removed together with SSL_get1_curves().
Can you please retry with the most recent BoringSSL ? It should be fixed now in https://boringssl.googlesource.com/boringssl/+/28c24092e39bfd70852afa2923a3d12d2e9be2f5
comment:4 by , 12 months ago
Replying to Sergey Kandaurov:
Replying to Karthikdasari0423@…:
i believe this is the commit causing the issue
https://boringssl.googlesource.com/boringssl/+/6cf98208371e5c2c8b9d34ce3b8c452ea90e2963
That's true. This commit caused build to fail with BoringSSL.
The reason is that SSL_get_negotiation_group, as documented in OpenSSL, may return TLSEXT_nid_unknown for unknown groups. This seems to be a non-sense, but still we have to comply.
BoringSSL added this function in the recent days, and corresponding nginx code now builds with it. BoringSSL is going smarter, it doesn't use TLSEXT_nid_unknown, so it was not added there. Well, it was there long ago, removed together with SSL_get1_curves().
Can you please retry with the most recent BoringSSL ? It should be fixed now in https://boringssl.googlesource.com/boringssl/+/28c24092e39bfd70852afa2923a3d12d2e9be2f5
i tried with latest boringssl and able to build nginx quic.
Thank you Sergey Kandaurov.
comment:6 by , 12 months ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
Thanks for the update, closing this.
comment:7 by , 12 months ago
Thank you Maxim Dounin for closing this bug.
Can you please explain why you have marked this bug as Invalid.
This bug is valid bug and i would recommend you to mark it as Closed or Resolved but not as invalid.
comment:8 by , 12 months ago
| Resolution: | invalid |
|---|---|
| Status: | closed → reopened |
comment:9 by , 12 months ago
Re-opening this bug cause i would recommend to mark it as Closed or Resolved but not as Invalid.
comment:10 by , 12 months ago
| Resolution: | → invalid |
|---|---|
| Status: | reopened → closed |
It's not a bug in nginx, but a bug in BoringSSL (which is now fixed). As such, this ticket is closed as invalid.
i believe this is the commit causing the issue
https://boringssl.googlesource.com/boringssl/+/6cf98208371e5c2c8b9d34ce3b8c452ea90e2963