Opened 3 years ago

Closed 3 years ago

Last modified 2 years ago

#860 closed defect (wontfix)

NGINX 1.9.9 fails to build against OpenSSL 1.1.0

Reported by: poralix@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.9.x
Keywords: nginx-1.9.9 openssl-1.1.0 Cc: alexey@…
uname -a: Linux xxx.xxxxxxx.net 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.9.9 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC) built with OpenSSL 1.0.2e 3 Dec 2015 TLS SNI support enabled configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt=''-I /usr/local/include'' --with-ld-opt=''-L /usr/local/lib'' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=apache --group=access --http-client-body-temp-path=/var/nginx/client_body_temp --http-proxy-temp-path=/var/nginx/proxy_temp --http-fastcgi-temp-path=/var/nginx/fastcgi_temp --http-log-path=/var/log/nginx/access.log --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_realip_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-pcre --without-http_autoindex_module --without-http_ssi_module --with-ipv6 --with-cc-opt=''-D FD_SETSIZE=32768'' --with-http_v2_module --with-openssl=/usr/local/src/nginx-1.9.9/openssl-1.0.2e

Description

Hello,

Facing an issue with building NGINX 1.9.9 against OpenSSL 1.1.0. i've got the following details:

"./configure" \
    "--prefix=/usr/local/etc/nginx" \
    "--with-cc-opt='-I /usr/local/include'" \
    "--with-ld-opt='-L /usr/local/lib'" \
    "--conf-path=/usr/local/etc/nginx/nginx.conf" \
    "--sbin-path=/usr/local/sbin/nginx" \
    "--pid-path=/var/run/nginx.pid" \
    "--error-log-path=/var/log/nginx/error.log" \
    "--user=apache" \
    "--group=access" \
    "--http-client-body-temp-path=/var/nginx/client_body_temp" \
    "--http-proxy-temp-path=/var/nginx/proxy_temp" \
    "--http-fastcgi-temp-path=/var/nginx/fastcgi_temp" \
    "--http-log-path=/var/log/nginx/access.log" \
    "--with-http_addition_module" \
    "--with-http_dav_module" \
    "--with-http_flv_module" \
    "--with-http_realip_module" \
    "--with-http_ssl_module" \
    "--with-http_stub_status_module" \
    "--with-http_sub_module" \
    "--with-pcre" \
    "--without-http_autoindex_module" \
    "--without-http_ssi_module" \
    "--with-ipv6" \
    "--with-cc-opt='-D FD_SETSIZE=32768'" \
    "--with-http_v2_module" \
    "--with-openssl=/usr/local/src/nginx-1.9.9/openssl-master/"

The final lines are as the following:

make[4]: Leaving directory `/usr/local/src/nginx-1.9.9/openssl-master/engines/ccgost'
make[3]: Leaving directory `/usr/local/src/nginx-1.9.9/openssl-master/engines'
making install in apps...
make[3]: Entering directory `/usr/local/src/nginx-1.9.9/openssl-master/apps'
installing openssl
installing CA.pl
installing tsget
make[3]: Leaving directory `/usr/local/src/nginx-1.9.9/openssl-master/apps'
making install in tools...
make[3]: Entering directory `/usr/local/src/nginx-1.9.9/openssl-master/tools'
make[3]: Leaving directory `/usr/local/src/nginx-1.9.9/openssl-master/tools'
installing libcrypto.a
installing libssl.a
cp libcrypto.pc /usr/local/src/nginx-1.9.9/openssl-master/.openssl/lib/pkgconfig
chmod 644 /usr/local/src/nginx-1.9.9/openssl-master/.openssl/lib/pkgconfig/libcrypto.pc
cp libssl.pc /usr/local/src/nginx-1.9.9/openssl-master/.openssl/lib/pkgconfig
chmod 644 /usr/local/src/nginx-1.9.9/openssl-master/.openssl/lib/pkgconfig/libssl.pc
cp openssl.pc /usr/local/src/nginx-1.9.9/openssl-master/.openssl/lib/pkgconfig
chmod 644 /usr/local/src/nginx-1.9.9/openssl-master/.openssl/lib/pkgconfig/openssl.pc
make[2]: Leaving directory `/usr/local/src/nginx-1.9.9/openssl-master'
cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g '-D FD_SETSIZE=32768' -I src/core -I src/event -I src/event/modules -I src/os/unix -I /usr/local/src/nginx-1.9.9/openssl-master/.openssl/include -I objs \
                -o objs/src/core/nginx.o \
                src/core/nginx.c
cc1: warnings being treated as errors
src/core/nginx.c: In function 'ngx_show_version_info':
src/core/nginx.c:408: error: implicit declaration of function 'SSLeay'
src/core/nginx.c:408: error: 'SSLEAY_VERSION_NUMBER' undeclared (first use in this function)
src/core/nginx.c:408: error: (Each undeclared identifier is reported only once
src/core/nginx.c:408: error: for each function it appears in.)
src/core/nginx.c:414: error: implicit declaration of function 'SSLeay_version'
src/core/nginx.c:414: error: 'SSLEAY_VERSION' undeclared (first use in this function)
make[1]: *** [objs/src/core/nginx.o] Error 1
make[1]: Leaving directory `/usr/local/src/nginx-1.9.9'
make: *** [build] Error 2

Please let me know how to fix it.

Regards,
Alex.

Attachments (1)

nginx-openssl110pre5.patch (1.3 KB) - added by Gobelet@… 3 years ago.
Patch nginx-1.9.15 to allow compiling with openssl-1.1.0-pre5

Download all attachments as: .zip

Change History (18)

comment:1 Changed 3 years ago by pluknet

  • Status changed from new to accepted

comment:2 follow-up: Changed 3 years ago by mdounin

Note that OpenSSL 1.1.0 isn't yet released. What is available is an alpha version, and it introduces lots of API changes. No surprise that build fails.

comment:3 in reply to: ↑ 2 Changed 3 years ago by poralix@…

Yes, that's expected and clear, I hope it still deserves the nginx developers attention. As it will come released sooner or later. Just tried to build NGINX with this version of OpenSSL 1.1.0 to get CHACHA20/POLY1305 ciphers and had to build it against OpenSSL-1.0.2-chacha, and ended successfully.

comment:4 Changed 3 years ago by mdounin

  • Component changed from documentation to nginx-core

comment:5 Changed 3 years ago by mdounin

  • Resolution set to fixed
  • Status changed from accepted to closed

A patch series with OpenSSL 1.1.0 support has been committed and will be available as a part of the next nginx release, 1.9.14. See 382fc7069e3a, 978ad80b3732, 9dd43f4ef67e, a57b2b8999e7, c256dfdd469d, ddf761495ce6, 45f2385a47e6, 3b77efe05b92 for details. These changes make nginx buildable with at least OpenSSL 1.1.0-pre4 (aka beta 1).

comment:6 Changed 3 years ago by Gobelet@…

Hello,

Nginx 1.9.15 does not compile with openssl-1.1.0-pre5. They made a few changes (they talk about opaque work on their website). As a result, nginx-1.9.15 will not compile anymore :

src/event/ngx_event_openssl.c: In function ‘ngx_ssl_dhparam’:
src/event/ngx_event_openssl.c:954:11: error: dereferencing pointer to incomplete type
         dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
           ^
src/event/ngx_event_openssl.c:955:11: error: dereferencing pointer to incomplete type
         dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
           ^
src/event/ngx_event_openssl.c:957:15: error: dereferencing pointer to incomplete type
         if (dh->p == NULL || dh->g == NULL) {
               ^
src/event/ngx_event_openssl.c:957:32: error: dereferencing pointer to incomplete type
         if (dh->p == NULL || dh->g == NULL) {
                                ^

I fixed it (I believe - at least it compiles and I took example in the OpenSSL tests source code) with the patch underneath. I have no idea how good or bad my modifications were, but it compiles successfully and seems to work.

I made it so that it still compiles with versions prior to openssl-1.1.0-pre5, and compiled successfully with openssl-1.0.2g and openssl-1.1.0-pre5. Use at your own risk, I'm just a tinkerer!

Last edited 3 years ago by Gobelet@… (previous) (diff)

Changed 3 years ago by Gobelet@…

Patch nginx-1.9.15 to allow compiling with openssl-1.1.0-pre5

comment:7 Changed 3 years ago by Gobelet@…

  • Resolution fixed deleted
  • Status changed from closed to reopened

comment:8 Changed 3 years ago by mdounin

  • Resolution set to wontfix
  • Status changed from reopened to closed

No, thanks. Similar patch was already rejected internally.

Rationale is as follows:

We've already made changes required to compile with OpenSSL at the point OpenSSL developers declared as "no further API changes". They decided to change API once again - that's their choice, but we have no plans to introduce further changes at least till OpenSSL 1.1.0 is actually released.

Furthermore, this particular place is expected to be removed altogether in upcoming nginx 1.11.x, as using compiled-in DH parameters is considered unsafe now.

comment:9 follow-up: Changed 3 years ago by Gobelet@…

Well, to their defense they did say the "opaque work" would be done at beta 2: http://openssl.org/policies/releasestrat.html
But I understand your rationale too, especially if you plan on removing this whole part anyway!

Keep up the awesome work :-)

comment:10 in reply to: ↑ 9 ; follow-up: Changed 3 years ago by mdounin

Replying to Gobelet@…:

Well, to their defense they did say the "opaque work" would be done at beta 2: http://openssl.org/policies/releasestrat.html

Beta 1 was released at 16-Mar-2016, and the page you are referring to was changed almost a month later, at 9 Apr. Before that change, "opaque work" was expected to be already complete as Beta 1 was already released. And for more fun you may want to compare the date of last modification as claimed on the page with the date of the commit in question.

comment:11 in reply to: ↑ 10 Changed 3 years ago by Gobelet@…

Replying to mdounin:

Beta 1 was released at 16-Mar-2016, and the page you are referring to was changed almost a month later, at 9 Apr. Before that change, "opaque work" was expected to be already complete as Beta 1 was already released. And for more fun you may want to compare the date of last modification as claimed on the page with the date of the commit in question.

Wow, that's pretty sneaky, especially for all developers working on porting their code to 1.1.0. I totally get your stand now! Thanks for pointing that out.

comment:12 Changed 3 years ago by rugk@…

In my test nginx 1.11.1 does now compile fine with OpenSSL 1.1.0-pre5.

comment:13 Changed 2 years ago by PunKeel@…

OpenSSL 1.1.0 has been released, and this issue has been fixed by commit af9e72533a69de3b8b7ed59be7be9b37203b5c82
SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0.

View on GitHub

(Should be present in 1.11.4)

comment:14 Changed 2 years ago by ctrochalakis@…

Hello,

The new Debian stable (stretch) will ship with OpenSSL 1.1.0, so are in the
process of building nginx stable (1.10.1) against it.

By backporting the following commits we get a sucessful build:

SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0. (1891b2892b68)
SSL: removed default DH parameters (1aa9650a8154)
SSL: adopted session ticket handling for OpenSSL 1.1.0. (3eb1a92a2f05)

Do you agree that those commits are enough, or is there something else we need to backport?

Ofcourse if upstream can backport the OpenSSL 1.1.0 commits to stable-1.10 would be
more than welcome.

comment:15 Changed 2 years ago by mdounin

The list looks correct to me. Note though that removing default DH is a user-visible change, and it might not be a good idea to do such changes on a stable branch.

comment:16 Changed 2 years ago by mdounin

Just a quick note: nginx 1.10.2 stable version includes changes needed to build it with OpenSSL 1.1.0.

comment:17 Changed 2 years ago by ctrochalakis@…

That's great. Thanks a lot Maxim.

Note: See TracTickets for help on using tickets.