Learn about Centmin Mod LEMP Stack today
Become a Member

Nginx Nginx - No longer needed workaround for BoringSSL

Discussion in 'Nginx and PHP-FPM news & discussions' started by buik, Aug 23, 2016.

  1. buik

    buik “The best traveler is one without a camera.”

    1,990
    518
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,647
    Local Time:
    11:33 PM
    Edit: Download link is available at the bottom of this topic.

    Created a BoringSSL CentOS 7 patch based on the work of Vince Passay. Compiled Nginx against the BoringSSL git and the Chrome stable BoringSSL git branche this afternoon.

    Please note that: OCSP isn't supported by BoringSSL.



     
    Last edited: Aug 24, 2016
  2. eva2000

    eva2000 Administrator Staff Member

    53,209
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    7:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    very nice been trying to get BoringSSL to compile properly over years but always ran into one problem or another LOL

    looking at my notes from last attempt 2 weeks ago, error i got with 1.11 branch was
    Code (Text):
    make install
    
    cd /svr-setup/boringssl \
    && if [ -f Makefile ]; then make clean; fi \
    && ./config --prefix=/svr-setup/boringssl/.openssl no-shared enable-tlsext \
    && make \
    && make install_sw LIBDIR=lib
    /bin/sh: line 2: ./config: No such file or directory


    But see a few days ago Nginx did some work nginx: 3d8be8fb0149
     
  3. buik

    buik “The best traveler is one without a camera.”

    1,990
    518
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,647
    Local Time:
    11:33 PM
    Patch "3d8be8fb0149" from Nginx won't work (seems work in progress) as it doesn't define the right cipher.

    About the missing ./config.
    The file structure of BoringSSL is different then OpenSSL,
    therefore the compiler can't find several files.
    Make a symbolic link and it will work.

    I am sending my SRPM is a min.
     
    Last edited: Aug 24, 2016
  4. buik

    buik “The best traveler is one without a camera.”

    1,990
    518
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,647
    Local Time:
    11:33 PM
    Is there a feature on the forum in order to attach files?
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,209
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    7:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  6. buik

    buik “The best traveler is one without a camera.”

    1,990
    518
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,647
    Local Time:
    11:33 PM
    - Download link below -

    This “source RPM” (or SRPM) file contains the source
    code plus build .SPEC and can be used to (re)produce a package exactly as the source.

    This SRPM package is provided "AS IS".
    Purpose: compiling Nginx with BoringSSL.

    This SRPM is not signed with a Product Signing (GPG) Key.
    This SRPM is created on a CentOS 7 based host.

    Build requires c.q. dependencies may not be entirely
    represented in .SPEC or on your build system.
    If necessary, you should install the requested build packages.

    For example build essentials like "rpm-build",
    should be installed to build RPM based packages in general.

    Furthermore for Nginx and BoringSSL specific "golang", "cmake", "gcc-c++",
    "openssl-devel", "zlib-devel" and "pcre-devel" are needed.

    The software source is based on vanilla Nginx from Nginx.org
    plus BoringSSL form Google's git (git archive).

    And without extra 3 th party modules so that changes to
    both Nginx and BoringSSL are clearly visible.

    Please note that: BoringSSL is in fact OpenSSL 1.0.2 with patches.
    References to OpenSSL 1.0.2 are present in the source.
    For example source-file: "openssl-1.0.2g.tar.gz".

    As written before OCSP isn't supported by BoringSSL.
    Nginx does support OCSP so you can configure it at
    your Nginx.conf but it won't work "OCSP stapling: No".

    Tested on the basis of the Qualys SSL Lab's guideline.
    A+ obtained with a test site + Nginx compiled with BoringSSL.

    Download Nginx 1.11.3 with BoringSSL

    Nginx version information:
     
    Last edited: Aug 31, 2016
  7. eva2000

    eva2000 Administrator Staff Member

    53,209
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    7:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  8. buik

    buik “The best traveler is one without a camera.”

    1,990
    518
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,647
    Local Time:
    11:33 PM
    Great.
    Able to build your own Nginx with BoringSSL now?
     
  9. eva2000

    eva2000 Administrator Staff Member

    53,209
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    7:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Haven't tried yet will when I have some free time :)
     
  10. buik

    buik “The best traveler is one without a camera.”

    1,990
    518
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,647
    Local Time:
    11:33 PM
    Hopeful news: BoringSSL could be more or less compatible, (out of the box)
    with Nginx in the near feature.
    In short. Interesting changes lately in Nginx/BoringSSL land.

    After the Nginx commit several days ago to 'no longer needed workaround for BoringSSL'. What looks like work in progress.

    Currently a patch is needed to fix 'Declare SSL_R_BLOCK_CIPHER_PAD_IS_WRONG' and 'SSL_R_NO_CIPHERS_SPECIFIED'. And to be able to at least compile BoringSSL against Nginx.

    The BoringSSL team released a patch set (version 4), about 13 hours ago.
    That should fix the above declare and no CIPHER problem.
     
  11. eva2000

    eva2000 Administrator Staff Member

    53,209
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    7:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  12. buik

    buik “The best traveler is one without a camera.”

    1,990
    518
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,647
    Local Time:
    11:33 PM
    I hereby confirm that you don't need any specific BoringSSL patch anymore to compile Nginx mainline 1.11.3 against the BoringSSL master code (Change 10446). Don't know when this code is going to be implemented in the stable branches. But the most important thing is a good prospects for the near future.

    Code:
    nginx version: nginx/1.11.3
    built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
    built with OpenSSL 1.0.2 (compatible; BoringSSL) (running with BoringSSL)
    TLS SNI support enabled
    
     
  13. buik

    buik “The best traveler is one without a camera.”

    1,990
    518
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,647
    Local Time:
    11:33 PM
    Last edited: Aug 31, 2016
  14. buik

    buik “The best traveler is one without a camera.”

    1,990
    518
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,647
    Local Time:
    11:33 PM
    Going to migrate the BoringSSL patches, .SPECS, files in general and dl links to git.
    So that it remains clear, ordered and stays on-line (ufile what is used now is temporary) for everyone.
     
  15. buik

    buik “The best traveler is one without a camera.”

    1,990
    518
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,647
    Local Time:
    11:33 PM
    Files migrated to GitLab. Project is live, links in the thread are changed.
     
  16. buik

    buik “The best traveler is one without a camera.”

    1,990
    518
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,647
    Local Time:
    11:33 PM
    P.s. Do have a nice backport patch for Nginx 1.10 interested?
     
  17. eva2000

    eva2000 Administrator Staff Member

    53,209
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    7:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    cheers much appreciated :)
    sure.. :D
     
  18. buik

    buik “The best traveler is one without a camera.”

    1,990
    518
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,647
    Local Time:
    11:33 PM
  19. buik

    buik “The best traveler is one without a camera.”

    1,990
    518
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,647
    Local Time:
    11:33 PM
    @eva2000 been able to compile Nginx against BoringSSL?
     
  20. eva2000

    eva2000 Administrator Staff Member

    53,209
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    7:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Haven't had the time right now, other priorities :)