Opened 9 years ago

Closed 9 years ago

Last modified 8 years ago

#860 closed defect (wontfix)

NGINX 1.9.9 fails to build against OpenSSL 1.1.0

Reported by: poralix@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.9.x
Keywords: nginx-1.9.9 openssl-1.1.0 Cc: alexey@…
uname -a: Linux xxx.xxxxxxx.net 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.9.9
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC)
built with OpenSSL 1.0.2e 3 Dec 2015
TLS SNI support enabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt=''-I /usr/local/include'' --with-ld-opt=''-L /usr/local/lib'' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=apache --group=access --http-client-body-temp-path=/var/nginx/client_body_temp --http-proxy-temp-path=/var/nginx/proxy_temp --http-fastcgi-temp-path=/var/nginx/fastcgi_temp --http-log-path=/var/log/nginx/access.log --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_realip_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-pcre --without-http_autoindex_module --without-http_ssi_module --with-ipv6 --with-cc-opt=''-D FD_SETSIZE=32768'' --with-http_v2_module --with-openssl=/usr/local/src/nginx-1.9.9/openssl-1.0.2e

Description

Hello,

Facing an issue with building NGINX 1.9.9 against OpenSSL 1.1.0. i've got the following details:

"./configure" \
    "--prefix=/usr/local/etc/nginx" \
    "--with-cc-opt='-I /usr/local/include'" \
    "--with-ld-opt='-L /usr/local/lib'" \
    "--conf-path=/usr/local/etc/nginx/nginx.conf" \
    "--sbin-path=/usr/local/sbin/nginx" \
    "--pid-path=/var/run/nginx.pid" \
    "--error-log-path=/var/log/nginx/error.log" \
    "--user=apache" \
    "--group=access" \
    "--http-client-body-temp-path=/var/nginx/client_body_temp" \
    "--http-proxy-temp-path=/var/nginx/proxy_temp" \
    "--http-fastcgi-temp-path=/var/nginx/fastcgi_temp" \
    "--http-log-path=/var/log/nginx/access.log" \
    "--with-http_addition_module" \
    "--with-http_dav_module" \
    "--with-http_flv_module" \
    "--with-http_realip_module" \
    "--with-http_ssl_module" \
    "--with-http_stub_status_module" \
    "--with-http_sub_module" \
    "--with-pcre" \
    "--without-http_autoindex_module" \
    "--without-http_ssi_module" \
    "--with-ipv6" \
    "--with-cc-opt='-D FD_SETSIZE=32768'" \
    "--with-http_v2_module" \
    "--with-openssl=/usr/local/src/nginx-1.9.9/openssl-master/"

The final lines are as the following:

make[4]: Leaving directory `/usr/local/src/nginx-1.9.9/openssl-master/engines/ccgost'
make[3]: Leaving directory `/usr/local/src/nginx-1.9.9/openssl-master/engines'
making install in apps...
make[3]: Entering directory `/usr/local/src/nginx-1.9.9/openssl-master/apps'
installing openssl
installing CA.pl
installing tsget
make[3]: Leaving directory `/usr/local/src/nginx-1.9.9/openssl-master/apps'
making install in tools...
make[3]: Entering directory `/usr/local/src/nginx-1.9.9/openssl-master/tools'
make[3]: Leaving directory `/usr/local/src/nginx-1.9.9/openssl-master/tools'
installing libcrypto.a
installing libssl.a
cp libcrypto.pc /usr/local/src/nginx-1.9.9/openssl-master/.openssl/lib/pkgconfig
chmod 644 /usr/local/src/nginx-1.9.9/openssl-master/.openssl/lib/pkgconfig/libcrypto.pc
cp libssl.pc /usr/local/src/nginx-1.9.9/openssl-master/.openssl/lib/pkgconfig
chmod 644 /usr/local/src/nginx-1.9.9/openssl-master/.openssl/lib/pkgconfig/libssl.pc
cp openssl.pc /usr/local/src/nginx-1.9.9/openssl-master/.openssl/lib/pkgconfig
chmod 644 /usr/local/src/nginx-1.9.9/openssl-master/.openssl/lib/pkgconfig/openssl.pc
make[2]: Leaving directory `/usr/local/src/nginx-1.9.9/openssl-master'
cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g '-D FD_SETSIZE=32768' -I src/core -I src/event -I src/event/modules -I src/os/unix -I /usr/local/src/nginx-1.9.9/openssl-master/.openssl/include -I objs \
                -o objs/src/core/nginx.o \
                src/core/nginx.c
cc1: warnings being treated as errors
src/core/nginx.c: In function 'ngx_show_version_info':
src/core/nginx.c:408: error: implicit declaration of function 'SSLeay'
src/core/nginx.c:408: error: 'SSLEAY_VERSION_NUMBER' undeclared (first use in this function)
src/core/nginx.c:408: error: (Each undeclared identifier is reported only once
src/core/nginx.c:408: error: for each function it appears in.)
src/core/nginx.c:414: error: implicit declaration of function 'SSLeay_version'
src/core/nginx.c:414: error: 'SSLEAY_VERSION' undeclared (first use in this function)
make[1]: *** [objs/src/core/nginx.o] Error 1
make[1]: Leaving directory `/usr/local/src/nginx-1.9.9'
make: *** [build] Error 2

Please let me know how to fix it.

Regards,
Alex.

Attachments (1)

nginx-openssl110pre5.patch (1.3 KB ) - added by Gobelet@… 9 years ago.
Patch nginx-1.9.15 to allow compiling with openssl-1.1.0-pre5

Download all attachments as: .zip

Change History (18)

comment:1 by Sergey Kandaurov, 9 years ago

Status: newaccepted

comment:2 by Maxim Dounin, 9 years ago

Note that OpenSSL 1.1.0 isn't yet released. What is available is an alpha version, and it introduces lots of API changes. No surprise that build fails.

in reply to:  2 comment:3 by poralix@…, 9 years ago

Yes, that's expected and clear, I hope it still deserves the nginx developers attention. As it will come released sooner or later. Just tried to build NGINX with this version of OpenSSL 1.1.0 to get CHACHA20/POLY1305 ciphers and had to build it against OpenSSL-1.0.2-chacha, and ended successfully.

comment:4 by Maxim Dounin, 9 years ago

Component: documentationnginx-core

comment:5 by Maxim Dounin, 9 years ago

Resolution: fixed
Status: acceptedclosed

A patch series with OpenSSL 1.1.0 support has been committed and will be available as a part of the next nginx release, 1.9.14. See 382fc7069e3a, 978ad80b3732, 9dd43f4ef67e, a57b2b8999e7, c256dfdd469d, ddf761495ce6, 45f2385a47e6, 3b77efe05b92 for details. These changes make nginx buildable with at least OpenSSL 1.1.0-pre4 (aka beta 1).

comment:6 by Gobelet@…, 9 years ago

Hello,

Nginx 1.9.15 does not compile with openssl-1.1.0-pre5. They made a few changes (they talk about opaque work on their website). As a result, nginx-1.9.15 will not compile anymore :

src/event/ngx_event_openssl.c: In function ‘ngx_ssl_dhparam’:
src/event/ngx_event_openssl.c:954:11: error: dereferencing pointer to incomplete type
         dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
           ^
src/event/ngx_event_openssl.c:955:11: error: dereferencing pointer to incomplete type
         dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
           ^
src/event/ngx_event_openssl.c:957:15: error: dereferencing pointer to incomplete type
         if (dh->p == NULL || dh->g == NULL) {
               ^
src/event/ngx_event_openssl.c:957:32: error: dereferencing pointer to incomplete type
         if (dh->p == NULL || dh->g == NULL) {
                                ^

I fixed it (I believe - at least it compiles and I took example in the OpenSSL tests source code) by adding
(Line 919)

    BIGNUM *p, *q;

Changing lines 954-962 to:

        p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
        g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);

        if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) {
            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "BN_bin2bn() failed");
            DH_free(dh);
            BN_free(p);
            BN_free(g);
            return NGX_ERROR;
        }

And adding

BN_free(p);
BN_free(q);

underneath DH_free(dh). I have no idea how good or bad my modifications were, but it compiles successfully and seems to work.

Version 1, edited 9 years ago by Gobelet@… (previous) (next) (diff)

by Gobelet@…, 9 years ago

Attachment: nginx-openssl110pre5.patch added

Patch nginx-1.9.15 to allow compiling with openssl-1.1.0-pre5

comment:7 by Gobelet@…, 9 years ago

Resolution: fixed
Status: closedreopened

comment:8 by Maxim Dounin, 9 years ago

Resolution: wontfix
Status: reopenedclosed

No, thanks. Similar patch was already rejected internally.

Rationale is as follows:

We've already made changes required to compile with OpenSSL at the point OpenSSL developers declared as "no further API changes". They decided to change API once again - that's their choice, but we have no plans to introduce further changes at least till OpenSSL 1.1.0 is actually released.

Furthermore, this particular place is expected to be removed altogether in upcoming nginx 1.11.x, as using compiled-in DH parameters is considered unsafe now.

comment:9 by Gobelet@…, 9 years ago

Well, to their defense they did say the "opaque work" would be done at beta 2: http://openssl.org/policies/releasestrat.html
But I understand your rationale too, especially if you plan on removing this whole part anyway!

Keep up the awesome work :-)

in reply to:  9 ; comment:10 by Maxim Dounin, 9 years ago

Replying to Gobelet@…:

Well, to their defense they did say the "opaque work" would be done at beta 2: http://openssl.org/policies/releasestrat.html

Beta 1 was released at 16-Mar-2016, and the page you are referring to was changed almost a month later, at 9 Apr. Before that change, "opaque work" was expected to be already complete as Beta 1 was already released. And for more fun you may want to compare the date of last modification as claimed on the page with the date of the commit in question.

in reply to:  10 comment:11 by Gobelet@…, 9 years ago

Replying to mdounin:

Beta 1 was released at 16-Mar-2016, and the page you are referring to was changed almost a month later, at 9 Apr. Before that change, "opaque work" was expected to be already complete as Beta 1 was already released. And for more fun you may want to compare the date of last modification as claimed on the page with the date of the commit in question.

Wow, that's pretty sneaky, especially for all developers working on porting their code to 1.1.0. I totally get your stand now! Thanks for pointing that out.

comment:12 by rugk@…, 8 years ago

In my test nginx 1.11.1 does now compile fine with OpenSSL 1.1.0-pre5.

comment:13 by PunKeel@…, 8 years ago

OpenSSL 1.1.0 has been released, and this issue has been fixed by commit af9e72533a69de3b8b7ed59be7be9b37203b5c82
SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0.

View on GitHub

(Should be present in 1.11.4)

comment:14 by ctrochalakis@…, 8 years ago

Hello,

The new Debian stable (stretch) will ship with OpenSSL 1.1.0, so are in the
process of building nginx stable (1.10.1) against it.

By backporting the following commits we get a sucessful build:

SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0. (1891b2892b68)
SSL: removed default DH parameters (1aa9650a8154)
SSL: adopted session ticket handling for OpenSSL 1.1.0. (3eb1a92a2f05)

Do you agree that those commits are enough, or is there something else we need to backport?

Ofcourse if upstream can backport the OpenSSL 1.1.0 commits to stable-1.10 would be
more than welcome.

comment:15 by Maxim Dounin, 8 years ago

The list looks correct to me. Note though that removing default DH is a user-visible change, and it might not be a good idea to do such changes on a stable branch.

comment:16 by Maxim Dounin, 8 years ago

Just a quick note: nginx 1.10.2 stable version includes changes needed to build it with OpenSSL 1.1.0.

comment:17 by ctrochalakis@…, 8 years ago

That's great. Thanks a lot Maxim.

Note: See TracTickets for help on using tickets.