Opened 18 months ago

Closed 18 months ago

Last modified 7 months ago

#2503 closed defect (invalid)

Unable to build nginx quic

Reported by: Karthikdasari0423@… Owned by:
Priority: critical Milestone: nginx-1.26
Component: http/3 Version: 1.19.x
Keywords: nginx quic http/3 Cc: Karthikdasari0423@…
uname -a: Linux ubuntu 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 3.0.2 15 Mar 2022
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-d8gVax/nginx-1.18.0=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --add-dynamic-module=/build/nginx-d8gVax/nginx-1.18.0/debian/modules/http-geoip2 --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module

Description

I am trying to build nginx quic with nginx version as release-1.25.0 but facing below error

src/os/unix/ngx_thread_mutex.c

cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -I/src/boringssl/include -I src/core -I src/event -I src/event/modules -I src/event/quic -I src/os/unix -I objs \

-o objs/src/os/unix/ngx_thread_id.o \
src/os/unix/ngx_thread_id.c

cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -I/src/boringssl/include -I src/core -I src/event -I src/event/modules -I src/event/quic -I src/os/unix -I objs \

-o objs/src/event/ngx_event_openssl.o \
src/event/ngx_event_openssl.c

src/event/ngx_event_openssl.c: In function ‘ngx_ssl_get_curve’:
src/event/ngx_event_openssl.c:5110:20: error: ‘TLSEXT_nid_unknown’ undeclared (first use in this function)

5110 | if ((nid & TLSEXT_nid_unknown) == 0) {

| ~

src/event/ngx_event_openssl.c:5110:20: note: each undeclared identifier is reported only once for each function it appears in
make[1]: * [objs/Makefile:999: objs/src/event/ngx_event_openssl.o] Error 1
make[1]: Leaving directory '/src/nginx-quic'
make:
* [Makefile:10: build] Error 2
root@ubuntu:/src/nginx-quic#

Could you please confirm is this known issue or am i missing anything?

Commands i ran

cd /src/nginx-quic/
auto/configure nginx -V 2>&1 | sed "s/ \-\-/ \\\ \n\t--/g" | grep -v -e 'http-geoip2' | grep "\-\-" | grep -ve opt= -e param= -e build= --build=nginx-quic --with-debug --with-http_v3_module --with-cc-opt="-I/src/boringssl/include" --with-ld-opt="-L/src/boringssl/build/ssl -L/src/boringssl/build/crypto"
make

Change History (12)

comment:1 by Karthikdasari0423@…, 18 months ago

comment:2 by Karthikdasari0423@…, 18 months ago

Just a small update
i tried with the old commit(https://github.com/google/boringssl/commit/2da5ba91205f9f3cbb423064e11c165580307f82) and nginx is fine

with latest boringssl facing the issue

in reply to:  1 ; comment:3 by Sergey Kandaurov, 18 months ago

Replying to Karthikdasari0423@…:

i believe this is the commit causing the issue

https://boringssl.googlesource.com/boringssl/+/6cf98208371e5c2c8b9d34ce3b8c452ea90e2963

That's true. This commit caused build to fail with BoringSSL.
The reason is that SSL_get_negotiation_group, as documented in OpenSSL, may return TLSEXT_nid_unknown for unknown groups. This seems to be a non-sense, but still we have to comply.
BoringSSL added this function in the recent days, and corresponding nginx code now builds with it. BoringSSL is going smarter, it doesn't use TLSEXT_nid_unknown, so it was not added there. Well, it was there long ago, removed together with SSL_get1_curves().

Can you please retry with the most recent BoringSSL ? It should be fixed now in https://boringssl.googlesource.com/boringssl/+/28c24092e39bfd70852afa2923a3d12d2e9be2f5

Last edited 18 months ago by Sergey Kandaurov (previous) (diff)

in reply to:  3 comment:4 by Karthikdasari0423@…, 18 months ago

Replying to Sergey Kandaurov:

Replying to Karthikdasari0423@…:

i believe this is the commit causing the issue

https://boringssl.googlesource.com/boringssl/+/6cf98208371e5c2c8b9d34ce3b8c452ea90e2963

That's true. This commit caused build to fail with BoringSSL.
The reason is that SSL_get_negotiation_group, as documented in OpenSSL, may return TLSEXT_nid_unknown for unknown groups. This seems to be a non-sense, but still we have to comply.
BoringSSL added this function in the recent days, and corresponding nginx code now builds with it. BoringSSL is going smarter, it doesn't use TLSEXT_nid_unknown, so it was not added there. Well, it was there long ago, removed together with SSL_get1_curves().

Can you please retry with the most recent BoringSSL ? It should be fixed now in https://boringssl.googlesource.com/boringssl/+/28c24092e39bfd70852afa2923a3d12d2e9be2f5

i tried with latest boringssl and able to build nginx quic.

Thank you Sergey Kandaurov.

comment:5 by Karthikdasari0423@…, 18 months ago

Please feel free to close this ticket.

comment:6 by Maxim Dounin, 18 months ago

Resolution: invalid
Status: newclosed

Thanks for the update, closing this.

comment:7 by Karthikdasari0423@…, 18 months ago

Thank you Maxim Dounin for closing this bug.
Can you please explain why you have marked this bug as Invalid.
This bug is valid bug and i would recommend you to mark it as Closed or Resolved but not as invalid.

comment:8 by Karthikdasari0423@…, 18 months ago

Resolution: invalid
Status: closedreopened

comment:9 by Karthikdasari0423@…, 18 months ago

Re-opening this bug cause i would recommend to mark it as Closed or Resolved but not as Invalid.

comment:10 by Maxim Dounin, 18 months ago

Resolution: invalid
Status: reopenedclosed

It's not a bug in nginx, but a bug in BoringSSL (which is now fixed). As such, this ticket is closed as invalid.

comment:11 by Karthikdasari0423@…, 18 months ago

okay,got it.
Thank you Maxim Dounin.

comment:12 by m.herasimovich, 7 months ago

Milestone: nginx-1.25nginx-1.26

Milestone renamed

Note: See TracTickets for help on using tickets.