NGINX 1.9.9 fails to build against OpenSSL 1.1.0

[poralix@…]

Hello,

Facing an issue with building NGINX 1.9.9 against OpenSSL 1.1.0. i've got the following details:

"./configure" \
    "--prefix=/usr/local/etc/nginx" \
    "--with-cc-opt='-I /usr/local/include'" \
    "--with-ld-opt='-L /usr/local/lib'" \
    "--conf-path=/usr/local/etc/nginx/nginx.conf" \
    "--sbin-path=/usr/local/sbin/nginx" \
    "--pid-path=/var/run/nginx.pid" \
    "--error-log-path=/var/log/nginx/error.log" \
    "--user=apache" \
    "--group=access" \
    "--http-client-body-temp-path=/var/nginx/client_body_temp" \
    "--http-proxy-temp-path=/var/nginx/proxy_temp" \
    "--http-fastcgi-temp-path=/var/nginx/fastcgi_temp" \
    "--http-log-path=/var/log/nginx/access.log" \
    "--with-http_addition_module" \
    "--with-http_dav_module" \
    "--with-http_flv_module" \
    "--with-http_realip_module" \
    "--with-http_ssl_module" \
    "--with-http_stub_status_module" \
    "--with-http_sub_module" \
    "--with-pcre" \
    "--without-http_autoindex_module" \
    "--without-http_ssi_module" \
    "--with-ipv6" \
    "--with-cc-opt='-D FD_SETSIZE=32768'" \
    "--with-http_v2_module" \
    "--with-openssl=/usr/local/src/nginx-1.9.9/openssl-master/"

The final lines are as the following:

make[4]: Leaving directory `/usr/local/src/nginx-1.9.9/openssl-master/engines/ccgost'
make[3]: Leaving directory `/usr/local/src/nginx-1.9.9/openssl-master/engines'
making install in apps...
make[3]: Entering directory `/usr/local/src/nginx-1.9.9/openssl-master/apps'
installing openssl
installing CA.pl
installing tsget
make[3]: Leaving directory `/usr/local/src/nginx-1.9.9/openssl-master/apps'
making install in tools...
make[3]: Entering directory `/usr/local/src/nginx-1.9.9/openssl-master/tools'
make[3]: Leaving directory `/usr/local/src/nginx-1.9.9/openssl-master/tools'
installing libcrypto.a
installing libssl.a
cp libcrypto.pc /usr/local/src/nginx-1.9.9/openssl-master/.openssl/lib/pkgconfig
chmod 644 /usr/local/src/nginx-1.9.9/openssl-master/.openssl/lib/pkgconfig/libcrypto.pc
cp libssl.pc /usr/local/src/nginx-1.9.9/openssl-master/.openssl/lib/pkgconfig
chmod 644 /usr/local/src/nginx-1.9.9/openssl-master/.openssl/lib/pkgconfig/libssl.pc
cp openssl.pc /usr/local/src/nginx-1.9.9/openssl-master/.openssl/lib/pkgconfig
chmod 644 /usr/local/src/nginx-1.9.9/openssl-master/.openssl/lib/pkgconfig/openssl.pc
make[2]: Leaving directory `/usr/local/src/nginx-1.9.9/openssl-master'
cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g '-D FD_SETSIZE=32768' -I src/core -I src/event -I src/event/modules -I src/os/unix -I /usr/local/src/nginx-1.9.9/openssl-master/.openssl/include -I objs \
                -o objs/src/core/nginx.o \
                src/core/nginx.c
cc1: warnings being treated as errors
src/core/nginx.c: In function 'ngx_show_version_info':
src/core/nginx.c:408: error: implicit declaration of function 'SSLeay'
src/core/nginx.c:408: error: 'SSLEAY_VERSION_NUMBER' undeclared (first use in this function)
src/core/nginx.c:408: error: (Each undeclared identifier is reported only once
src/core/nginx.c:408: error: for each function it appears in.)
src/core/nginx.c:414: error: implicit declaration of function 'SSLeay_version'
src/core/nginx.c:414: error: 'SSLEAY_VERSION' undeclared (first use in this function)
make[1]: *** [objs/src/core/nginx.o] Error 1
make[1]: Leaving directory `/usr/local/src/nginx-1.9.9'
make: *** [build] Error 2

Please let me know how to fix it.

Regards,
Alex.

[Maxim Dounin]

Note that OpenSSL 1.1.0 isn't yet released. What is available is an alpha version, and it introduces lots of API changes. No surprise that build fails.

[poralix@…]

Yes, that's expected and clear, I hope it still deserves the nginx developers attention. As it will come released sooner or later. Just tried to build NGINX with this version of OpenSSL 1.1.0 to get CHACHA20/POLY1305 ciphers and had to build it against OpenSSL-1.0.2-chacha, and ended successfully.

[Maxim Dounin]

A patch series with OpenSSL 1.1.0 support has been committed and will be available as a part of the next nginx release, 1.9.14. See 382fc7069e3a, 978ad80b3732, 9dd43f4ef67e, a57b2b8999e7, c256dfdd469d, ddf761495ce6, 45f2385a47e6, 3b77efe05b92 for details. These changes make nginx buildable with at least OpenSSL 1.1.0-pre4 (aka beta 1).

[Gobelet@…]

Hello,

Nginx 1.9.15 does not compile with openssl-1.1.0-pre5. They made a few changes (they talk about opaque work on their website). As a result, nginx-1.9.15 will not compile anymore :

src/event/ngx_event_openssl.c: In function ‘ngx_ssl_dhparam’:
src/event/ngx_event_openssl.c:954:11: error: dereferencing pointer to incomplete type
         dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
           ^
src/event/ngx_event_openssl.c:955:11: error: dereferencing pointer to incomplete type
         dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
           ^
src/event/ngx_event_openssl.c:957:15: error: dereferencing pointer to incomplete type
         if (dh->p == NULL || dh->g == NULL) {
               ^
src/event/ngx_event_openssl.c:957:32: error: dereferencing pointer to incomplete type
         if (dh->p == NULL || dh->g == NULL) {
                                ^

I fixed it (I believe - at least it compiles and I took example in the OpenSSL tests source code) with the patch underneath. I have no idea how good or bad my modifications were, but it compiles successfully and seems to work.

I made it so that it still compiles with versions prior to openssl-1.1.0-pre5, and compiled successfully with openssl-1.0.2g and openssl-1.1.0-pre5. Use at your own risk, I'm just a tinkerer!

[Gobelet@…]

Patch nginx-1.9.15 to allow compiling with openssl-1.1.0-pre5

[Maxim Dounin]

No, thanks. Similar patch was already rejected internally.

Rationale is as follows:

We've already made changes required to compile with OpenSSL at the point OpenSSL developers declared as "no further API changes". They decided to change API once again - that's their choice, but we have no plans to introduce further changes at least till OpenSSL 1.1.0 is actually released.

Furthermore, this particular place is expected to be removed altogether in upcoming nginx 1.11.x, as using compiled-in DH parameters is considered unsafe now.

[Gobelet@…]

Well, to their defense they did say the "opaque work" would be done at beta 2: ​http://openssl.org/policies/releasestrat.html
But I understand your rationale too, especially if you plan on removing this whole part anyway!

Keep up the awesome work :-)

[Maxim Dounin]

Replying to Gobelet@…:

Well, to their defense they did say the "opaque work" would be done at beta 2: ​http://openssl.org/policies/releasestrat.html

Beta 1 was released at 16-Mar-2016, and the page you are referring to was changed ​almost a month later, at 9 Apr. Before that change, "opaque work" was expected to be already complete as Beta 1 was already released. And for more fun you may want to compare the date of last modification as claimed on the page with the date of the commit in question.

[Gobelet@…]

Replying to mdounin:

Beta 1 was released at 16-Mar-2016, and the page you are referring to was changed ​almost a month later, at 9 Apr. Before that change, "opaque work" was expected to be already complete as Beta 1 was already released. And for more fun you may want to compare the date of last modification as claimed on the page with the date of the commit in question.

Wow, that's pretty sneaky, especially for all developers working on porting their code to 1.1.0. I totally get your stand now! Thanks for pointing that out.

[rugk@…]

In my test nginx 1.11.1 does now compile fine with OpenSSL 1.1.0-pre5.

[PunKeel@…]

OpenSSL 1.1.0 has been released, and this issue has been fixed by commit af9e72533a69de3b8b7ed59be7be9b37203b5c82
SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0.

​View on GitHub

(Should be present in 1.11.4)

[ctrochalakis@…]

Hello,

The new Debian stable (stretch) will ship with OpenSSL 1.1.0, so are in the
process of building nginx stable (1.10.1) against it.

By backporting the following commits we get a sucessful build:

SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0. (1891b2892b68)
SSL: removed default DH parameters (1aa9650a8154)
SSL: adopted session ticket handling for OpenSSL 1.1.0. (3eb1a92a2f05)

Do you agree that those commits are enough, or is there something else we need to backport?

Ofcourse if upstream can backport the OpenSSL 1.1.0 commits to stable-1.10 would be
more than welcome.

[Maxim Dounin]

The list looks correct to me. Note though that removing default DH is a user-visible change, and it might not be a good idea to do such changes on a stable branch.

[Maxim Dounin]

Just a quick note: nginx 1.10.2 stable version includes changes needed to build it with OpenSSL 1.1.0.

[ctrochalakis@…]

That's great. Thanks a lot Maxim.