Bug#828453: nginx: FTBFS with openssl 1.1.0

Sat, 29 Oct 2016 01:09:35 -0700 

On Tue, Oct 11, 2016 at 10:41:01AM +0300, Christos Trochalakis wrote:

On Fri, Sep 02, 2016 at 10:52:15PM +0200, Kurt Roeckx wrote:

Hi,

It seems the version in experimental needs this patch to build
nginx itself:
http://hg.nginx.org/nginx/rev/1891b2892b68

You might also want this one:
http://hg.nginx.org/nginx/rev/3eb1a92a2f05

But then there some files in debian/modules that have minor
problems.

For nginx-lua see:
https://github.com/openresty/lua-nginx-module/pull/761

nginx-upstream-fair also has a problem with the reference
counters.


Kurt



To recap, the following patches are needed to compile nginx stable (1.10.1) 
against
OpenSSL 1.1.0, note that the situation is a bit different than experimental, we 
build
1.11.x releases there.:

nginx: backport "SSL: adopted session ticket handling for OpenSSL 1.1.0." 
(3eb1a92a2f05)
nginx: backport "SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 
1.1.0." (1891b2892b68)
upstream-fair: https://github.com/gnosek/nginx-upstream-fair/pull/22 (not 
merged upstream)
nginx-lua: https://github.com/openresty/lua-nginx-module/pull/761 (not merged 
upstream)

We should also fix ngx_ssl_dhparam() by either:

nginx: backport "SSL: removed default DH parameters" (1aa9650a8154)
or
by applying the user patch
https://trac.nginx.org/nginx/attachment/ticket/860/nginx-openssl110pre5.patch
which is less intrusive and is what a user expects from nginx 1.10 (1.11
dropped default DH params). See also my latest comment (#14) & reply on
https://trac.nginx.org/nginx/attachment/ticket/860.

Pending
=======

Lua v0.10.6 introduces a new regression as reported in:
https://github.com/openresty/lua-nginx-module/issues/757#issuecomment-247567447

Kurt, can you evaluate the patch regarding ngx_ssl_dhparam and help us with the
lua v0.10.6 issue?


We have some good news, nginx 1.10.2 includes all the changes needed for
building against OpenSSL 1.1.0.

Modules:
upstream-fair: https://github.com/gnosek/nginx-upstream-fair/pull/22
nginx-lua: https://github.com/openresty/lua-nginx-module/pull/761 +
https://github.com/wikimedia/operations-software-nginx/commit/e6785d912c992cae676593a8bd266e8c486b098d

I am not sure if the first lua patch is safe (regarding the
"ssl_conn->tlsext_status_expected = 1;" removal).

I have forced-pushed a new stretch-openssl-1.1 that builds successfully.

Reply via email to