On Sat, Oct 29, 2016 at 11:21:05AM +0200, Kurt Roeckx wrote:
On Sat, Oct 29, 2016 at 11:04:33AM +0300, Christos Trochalakis wrote:
On Tue, Oct 11, 2016 at 10:41:01AM +0300, Christos Trochalakis wrote:
> On Fri, Sep 02, 2016 at 10:52:15PM +0200, Kurt Roeckx wrote:
> > Hi,
> >
> > It seems the version in experimental needs this patch to build
> > nginx itself:
> > http://hg.nginx.org/nginx/rev/1891b2892b68
> >
> > You might also want this one:
> > http://hg.nginx.org/nginx/rev/3eb1a92a2f05
> >
> > But then there some files in debian/modules that have minor
> > problems.
> >
> > For nginx-lua see:
> > https://github.com/openresty/lua-nginx-module/pull/761
> >
> > nginx-upstream-fair also has a problem with the reference
> > counters.
> >
> >
> > Kurt
> >
>
> To recap, the following patches are needed to compile nginx stable (1.10.1)
against
> OpenSSL 1.1.0, note that the situation is a bit different than experimental,
we build
> 1.11.x releases there.:
>
> nginx: backport "SSL: adopted session ticket handling for OpenSSL 1.1.0."
(3eb1a92a2f05)
> nginx: backport "SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL
1.1.0." (1891b2892b68)
> upstream-fair: https://github.com/gnosek/nginx-upstream-fair/pull/22 (not
merged upstream)
> nginx-lua: https://github.com/openresty/lua-nginx-module/pull/761 (not merged
upstream)
>
> We should also fix ngx_ssl_dhparam() by either:
>
> nginx: backport "SSL: removed default DH parameters" (1aa9650a8154)
> or
> by applying the user patch
> https://trac.nginx.org/nginx/attachment/ticket/860/nginx-openssl110pre5.patch
> which is less intrusive and is what a user expects from nginx 1.10 (1.11
> dropped default DH params). See also my latest comment (#14) & reply on
> https://trac.nginx.org/nginx/attachment/ticket/860.
>
> Pending
> =======
>
> Lua v0.10.6 introduces a new regression as reported in:
>
https://github.com/openresty/lua-nginx-module/issues/757#issuecomment-247567447
>
> Kurt, can you evaluate the patch regarding ngx_ssl_dhparam and help us with
the
> lua v0.10.6 issue?
We have some good news, nginx 1.10.2 includes all the changes needed for
building against OpenSSL 1.1.0.
Modules:
upstream-fair: https://github.com/gnosek/nginx-upstream-fair/pull/22
nginx-lua: https://github.com/openresty/lua-nginx-module/pull/761 +
https://github.com/wikimedia/operations-software-nginx/commit/e6785d912c992cae676593a8bd266e8c486b098d
I am not sure if the first lua patch is safe (regarding the
"ssl_conn->tlsext_status_expected = 1;" removal).
I have forced-pushed a new stretch-openssl-1.1 that builds successfully.
I had a quick look at the patch from
https://trac.nginx.org/nginx/attachment/ticket/860/nginx-openssl110pre5.patch
Not having seen the full source, I think this is wrong:
DH_free(dh);
+#if OPENSSL_VERSION_NUMBER >= 0x10100005L
+ BN_free(p);
+ BN_free(g);
+#endif
If DH_set0_pqg() has been succesfully called with p and g, dh is
now the owner of those pointers. Calling DH_free(dh) will free
them, and so you'll have a double free.
Kurt
Nginx 1.10.2 included all the patches needed to build against openssl
1.1.0 so we don't need to apply that patch ourselves.
But indeed you are right, upstream dropped this hunk:
http://hg.nginx.org/nginx/rev/131bc715ce87
We now only have to deal with nginx modules patches (lua,
upstream-fair).
