Nginx Nginx + OpenSSL 3.1 Testing

eva2000 · Mar 29, 2023

OpenSSL 1.1.1 is EOL on September 11, 2023 so just over 6 months to go. OpenSSL 3.1 is next LTS release. So folks can start testing Nginx built against OpenSSL 3.1.0 instead of OpenSSL 1.1.1 using persistent config override variables set in /etc/centminmod/custom_config.inc below:
Code (Text):
OPENSSL_VERSION='3.1.0'   # Use this version of OpenSSL http://openssl.org/
OPENSSL_VERSIONFALLBACK='3.1.0'   # fallback if OPENSSL_VERSION uses openssl 1.1.x branch
OPENSSL_VERSION_OLDOVERRIDE='3.1.0' # override version if persist config OPENSSL_VERSION variable is out of date
Then run centmin.sh menu option 4 to recompile latest Nginx version which is 1.23.4 just released.

nginx -V
nginx version: nginx/1.23.4 (290323-031640-centos7-3635c6c-br-6e975bc)
built by gcc 11.2.1 20220127 (Red Hat 11.2.1-9) (GCC)
built with OpenSSL 3.1.0 14 Mar 2023
TLS SNI support enabled
configure arguments: --with-ld-opt='-Wl,-E -L/usr/local/zlib-cf/lib -L/usr/local/nginx-dep/lib -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/zlib-cf/lib:/usr/local/nginx-dep/lib -fuse-ld=gold' --with-cc-opt='-I/usr/local/zlib-cf/include -I/usr/local/nginx-dep/include -m64 -march=x86-64 -mavx -mavx2 -mpclmul -msse4 -msse4.1 -msse4.2 -falign-functions=32 -g -O3 -fstack-protector-strong -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wno-pointer-sign -Wimplicit-fallthrough=0 -Wno-missing-profile -Wno-implicit-function-declaration -Wno-int-conversion -Wno-unused-result -Wno-unused-result -Wno-vla-parameter -fcode-hoisting -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=290323-031640-centos7-3635c6c-br-6e975bc --with-compat --without-pcre2 --with-http_auth_request_module --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --add-dynamic-module=../ngx_http_geoip2_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --add-dynamic-module=../njs/nginx --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.5.1 --add-dynamic-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.32 --add-dynamic-module=../echo-nginx-module-0.62 --add-module=../redis2-nginx-module-0.15 --add-module=../ngx_http_redis-0.4.0-cmm --add-module=../memc-nginx-module-0.19 --add-module=../srcache-nginx-module-0.32 --add-dynamic-module=../headers-more-nginx-module-0.34 --with-pcre-jit --with-zlib=../zlib-cloudflare-1.3.0 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-3.1.0
Click to expand...

buik · Mar 29, 2023

eva2000 said: ↑

OpenSSL 1.1.1 is EOL on September 11, 2023 so just over 6 months to go. OpenSSL 3.1 is next LTS release. So folks can start testing Nginx built against OpenSSL 3.1.0 instead of OpenSSL 1.1.1
Click to expand...

I think it would be smart to switch to Red Hat's OpenSSL 1.1.1 with support still available for several years. Just like the Centmin Mod 8 beta case on Red Hat's MariaDB 10.3. Where upstream MariaDB 10.3 support is finite in a month+ but Red Hat still supports it until 2029.

Going back to OpenSSL.
OpenSSL 3.1, is way to fresh and unstable at the moment.

Same goes for the already released Centmin Mod 7.
Red Hat's OpenSSL 1.1.1 is also available for EL7 on EPEL.
So it shouldn't be a problem for EL7 either.

eva2000 · Mar 29, 2023

buik said: ↑

I think it would be smart to switch to Red Hat's OpenSSL 1.1.1 with support still available for several years. Just like the Centmin Mod 8 beta case on Red Hat's MariaDB 10.3. Where upstream MariaDB 10.3 support is finite in a month+ but Red Hat still supports it until 2029.
Click to expand...

For EL8 for sure system OpenSSL 1.1.1 is default so maybe

buik said: ↑

Going back to OpenSSL.
OpenSSL 3.1, is way to fresh and unstable at the moment.

Same goes for the already released Centmin Mod 7.
Red Hat's OpenSSL 1.1.1 is also available for EL7 on EPEL.
So it shouldn't be a problem for EL7 either.
Click to expand...

Yeah haven't looked at that as an option though on EL7

eva2000 · Oct 29, 2023

buik said: ↑

I think it would be smart to switch to Red Hat's OpenSSL 1.1.1 with support still available for several years. Just like the Centmin Mod 8 beta case on Red Hat's MariaDB 10.3. Where upstream MariaDB 10.3 support is finite in a month+ but Red Hat still supports it until 2029.
Click to expand...

Ok added for Nginx to be able to optionally build against system OpenSSL version, meaning Nginx can be built against EL8's OpenSSL 1.1.1k or EL9's OpenSSL 3.0.7 versions now as well https://community.centminmod.com/th...r-nginx-system-openssl-in-130-00beta01.24213/

Was curious about your comment on CentOS 7's OpenSSL 1.1.1 package, but that doesn't seem to have up to date backported security fixes, seems last fix was Feb 19, 2023

On CentOS 7
Code (Text):
repoquery --changelog openssl11
* Sun Feb 19 2023 Robert Scheck <robert@fedoraproject.org> 1.1.1k-5
- backport from 1.1.1k-9: Fixed Timing Oracle in RSA Decryption
  Resolves: CVE-2022-4304
- backport from 1.1.1k-9: Fixed Double free after calling PEM_read_bio_ex
  Resolves: CVE-2022-4450
- backport from 1.1.1k-9: Fixed Use-after-free following BIO_new_NDEF
  Resolves: CVE-2023-0215
- backport from 1.1.1k-9: Fixed X.400 address type confusion in X.509 GeneralName
  Resolves: CVE-2023-0286
- backport from 1.1.1k-8: Fix no-ec build
  Resolves: rhbz#2071020
Though seems that is same as EL8's OpenSSL 1.1.1 package - so I guess it's in sync
Code (Text):
 repoquery --changelog openssl
Last metadata expiration check: 0:00:05 ago on Sun 29 Oct 2023 12:48:52 AM EDT.
Changelog for openssl-1:1.1.1k-9.el8_7.x86_64
* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-9
- Fixed Timing Oracle in RSA Decryption
  Resolves: CVE-2022-4304
- Fixed Double free after calling PEM_read_bio_ex
  Resolves: CVE-2022-4450
- Fixed Use-after-free following BIO_new_NDEF
  Resolves: CVE-2023-0215
- Fixed X.400 address type confusion in X.509 GeneralName
  Resolves: CVE-2023-0286
but both EL8 system and EPEL7 OpenSSL 1.1.1k are missing newer security fixes since OpenSSL 1.1.1u https://www.openssl.org/news/vulnerabilities-1.1.1.html

Log in / Register

Forums

Want more timely Centmin Mod News Updates?

Nginx Nginx + OpenSSL 3.1 Testing

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Want more timely Centmin Mod News Updates?

Nginx Nginx + OpenSSL 3.1 Testing

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.