#860 closed defect (wontfix)
NGINX 1.9.9 fails to build against OpenSSL 1.1.0
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-core | Version: | 1.9.x |
Keywords: | nginx-1.9.9 openssl-1.1.0 | Cc: | alexey@… |
uname -a: | Linux xxx.xxxxxxx.net 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.9.9
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC) built with OpenSSL 1.0.2e 3 Dec 2015 TLS SNI support enabled configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt=''-I /usr/local/include'' --with-ld-opt=''-L /usr/local/lib'' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=apache --group=access --http-client-body-temp-path=/var/nginx/client_body_temp --http-proxy-temp-path=/var/nginx/proxy_temp --http-fastcgi-temp-path=/var/nginx/fastcgi_temp --http-log-path=/var/log/nginx/access.log --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_realip_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-pcre --without-http_autoindex_module --without-http_ssi_module --with-ipv6 --with-cc-opt=''-D FD_SETSIZE=32768'' --with-http_v2_module --with-openssl=/usr/local/src/nginx-1.9.9/openssl-1.0.2e |
Description
Hello,
Facing an issue with building NGINX 1.9.9 against OpenSSL 1.1.0. i've got the following details:
"./configure" \ "--prefix=/usr/local/etc/nginx" \ "--with-cc-opt='-I /usr/local/include'" \ "--with-ld-opt='-L /usr/local/lib'" \ "--conf-path=/usr/local/etc/nginx/nginx.conf" \ "--sbin-path=/usr/local/sbin/nginx" \ "--pid-path=/var/run/nginx.pid" \ "--error-log-path=/var/log/nginx/error.log" \ "--user=apache" \ "--group=access" \ "--http-client-body-temp-path=/var/nginx/client_body_temp" \ "--http-proxy-temp-path=/var/nginx/proxy_temp" \ "--http-fastcgi-temp-path=/var/nginx/fastcgi_temp" \ "--http-log-path=/var/log/nginx/access.log" \ "--with-http_addition_module" \ "--with-http_dav_module" \ "--with-http_flv_module" \ "--with-http_realip_module" \ "--with-http_ssl_module" \ "--with-http_stub_status_module" \ "--with-http_sub_module" \ "--with-pcre" \ "--without-http_autoindex_module" \ "--without-http_ssi_module" \ "--with-ipv6" \ "--with-cc-opt='-D FD_SETSIZE=32768'" \ "--with-http_v2_module" \ "--with-openssl=/usr/local/src/nginx-1.9.9/openssl-master/"
The final lines are as the following:
make[4]: Leaving directory `/usr/local/src/nginx-1.9.9/openssl-master/engines/ccgost' make[3]: Leaving directory `/usr/local/src/nginx-1.9.9/openssl-master/engines' making install in apps... make[3]: Entering directory `/usr/local/src/nginx-1.9.9/openssl-master/apps' installing openssl installing CA.pl installing tsget make[3]: Leaving directory `/usr/local/src/nginx-1.9.9/openssl-master/apps' making install in tools... make[3]: Entering directory `/usr/local/src/nginx-1.9.9/openssl-master/tools' make[3]: Leaving directory `/usr/local/src/nginx-1.9.9/openssl-master/tools' installing libcrypto.a installing libssl.a cp libcrypto.pc /usr/local/src/nginx-1.9.9/openssl-master/.openssl/lib/pkgconfig chmod 644 /usr/local/src/nginx-1.9.9/openssl-master/.openssl/lib/pkgconfig/libcrypto.pc cp libssl.pc /usr/local/src/nginx-1.9.9/openssl-master/.openssl/lib/pkgconfig chmod 644 /usr/local/src/nginx-1.9.9/openssl-master/.openssl/lib/pkgconfig/libssl.pc cp openssl.pc /usr/local/src/nginx-1.9.9/openssl-master/.openssl/lib/pkgconfig chmod 644 /usr/local/src/nginx-1.9.9/openssl-master/.openssl/lib/pkgconfig/openssl.pc make[2]: Leaving directory `/usr/local/src/nginx-1.9.9/openssl-master' cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g '-D FD_SETSIZE=32768' -I src/core -I src/event -I src/event/modules -I src/os/unix -I /usr/local/src/nginx-1.9.9/openssl-master/.openssl/include -I objs \ -o objs/src/core/nginx.o \ src/core/nginx.c cc1: warnings being treated as errors src/core/nginx.c: In function 'ngx_show_version_info': src/core/nginx.c:408: error: implicit declaration of function 'SSLeay' src/core/nginx.c:408: error: 'SSLEAY_VERSION_NUMBER' undeclared (first use in this function) src/core/nginx.c:408: error: (Each undeclared identifier is reported only once src/core/nginx.c:408: error: for each function it appears in.) src/core/nginx.c:414: error: implicit declaration of function 'SSLeay_version' src/core/nginx.c:414: error: 'SSLEAY_VERSION' undeclared (first use in this function) make[1]: *** [objs/src/core/nginx.o] Error 1 make[1]: Leaving directory `/usr/local/src/nginx-1.9.9' make: *** [build] Error 2
Please let me know how to fix it.
Regards,
Alex.
Attachments (1)
Change History (18)
comment:1 by , 9 years ago
Status: | new → accepted |
---|
follow-up: 3 comment:2 by , 9 years ago
comment:3 by , 9 years ago
Yes, that's expected and clear, I hope it still deserves the nginx developers attention. As it will come released sooner or later. Just tried to build NGINX with this version of OpenSSL 1.1.0 to get CHACHA20/POLY1305 ciphers and had to build it against OpenSSL-1.0.2-chacha, and ended successfully.
comment:4 by , 9 years ago
Component: | documentation → nginx-core |
---|
comment:5 by , 9 years ago
Resolution: | → fixed |
---|---|
Status: | accepted → closed |
A patch series with OpenSSL 1.1.0 support has been committed and will be available as a part of the next nginx release, 1.9.14. See 382fc7069e3a, 978ad80b3732, 9dd43f4ef67e, a57b2b8999e7, c256dfdd469d, ddf761495ce6, 45f2385a47e6, 3b77efe05b92 for details. These changes make nginx buildable with at least OpenSSL 1.1.0-pre4 (aka beta 1).
comment:6 by , 9 years ago
Hello,
Nginx 1.9.15 does not compile with openssl-1.1.0-pre5. They made a few changes (they talk about opaque work on their website). As a result, nginx-1.9.15 will not compile anymore :
src/event/ngx_event_openssl.c: In function ‘ngx_ssl_dhparam’: src/event/ngx_event_openssl.c:954:11: error: dereferencing pointer to incomplete type dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); ^ src/event/ngx_event_openssl.c:955:11: error: dereferencing pointer to incomplete type dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); ^ src/event/ngx_event_openssl.c:957:15: error: dereferencing pointer to incomplete type if (dh->p == NULL || dh->g == NULL) { ^ src/event/ngx_event_openssl.c:957:32: error: dereferencing pointer to incomplete type if (dh->p == NULL || dh->g == NULL) { ^
I fixed it (I believe - at least it compiles and I took example in the OpenSSL tests source code) by adding
(Line 919)
BIGNUM *p, *q;
Changing lines 954-962 to:
p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) { ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "BN_bin2bn() failed"); DH_free(dh); BN_free(p); BN_free(g); return NGX_ERROR; }
And adding
BN_free(p); BN_free(q);
underneath DH_free(dh). I have no idea how good or bad my modifications were, but it compiles successfully and seems to work.
by , 9 years ago
Attachment: | nginx-openssl110pre5.patch added |
---|
Patch nginx-1.9.15 to allow compiling with openssl-1.1.0-pre5
comment:7 by , 9 years ago
Resolution: | fixed |
---|---|
Status: | closed → reopened |
comment:8 by , 9 years ago
Resolution: | → wontfix |
---|---|
Status: | reopened → closed |
No, thanks. Similar patch was already rejected internally.
Rationale is as follows:
We've already made changes required to compile with OpenSSL at the point OpenSSL developers declared as "no further API changes". They decided to change API once again - that's their choice, but we have no plans to introduce further changes at least till OpenSSL 1.1.0 is actually released.
Furthermore, this particular place is expected to be removed altogether in upcoming nginx 1.11.x, as using compiled-in DH parameters is considered unsafe now.
follow-up: 10 comment:9 by , 9 years ago
Well, to their defense they did say the "opaque work" would be done at beta 2: http://openssl.org/policies/releasestrat.html
But I understand your rationale too, especially if you plan on removing this whole part anyway!
Keep up the awesome work :-)
follow-up: 11 comment:10 by , 9 years ago
Replying to Gobelet@…:
Well, to their defense they did say the "opaque work" would be done at beta 2: http://openssl.org/policies/releasestrat.html
Beta 1 was released at 16-Mar-2016, and the page you are referring to was changed almost a month later, at 9 Apr. Before that change, "opaque work" was expected to be already complete as Beta 1 was already released. And for more fun you may want to compare the date of last modification as claimed on the page with the date of the commit in question.
comment:11 by , 9 years ago
Replying to mdounin:
Beta 1 was released at 16-Mar-2016, and the page you are referring to was changed almost a month later, at 9 Apr. Before that change, "opaque work" was expected to be already complete as Beta 1 was already released. And for more fun you may want to compare the date of last modification as claimed on the page with the date of the commit in question.
Wow, that's pretty sneaky, especially for all developers working on porting their code to 1.1.0. I totally get your stand now! Thanks for pointing that out.
comment:13 by , 8 years ago
OpenSSL 1.1.0 has been released, and this issue has been fixed by commit af9e72533a69de3b8b7ed59be7be9b37203b5c82
SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0.
(Should be present in 1.11.4)
comment:14 by , 8 years ago
Hello,
The new Debian stable (stretch) will ship with OpenSSL 1.1.0, so are in the
process of building nginx stable (1.10.1) against it.
By backporting the following commits we get a sucessful build:
SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0. (1891b2892b68)
SSL: removed default DH parameters (1aa9650a8154)
SSL: adopted session ticket handling for OpenSSL 1.1.0. (3eb1a92a2f05)
Do you agree that those commits are enough, or is there something else we need to backport?
Ofcourse if upstream can backport the OpenSSL 1.1.0 commits to stable-1.10 would be
more than welcome.
comment:15 by , 8 years ago
The list looks correct to me. Note though that removing default DH is a user-visible change, and it might not be a good idea to do such changes on a stable branch.
comment:16 by , 8 years ago
Just a quick note: nginx 1.10.2 stable version includes changes needed to build it with OpenSSL 1.1.0.
Note that OpenSSL 1.1.0 isn't yet released. What is available is an alpha version, and it introduces lots of API changes. No surprise that build fails.