search

cloudflare / sslconfig

Cloudflare's Internet facing SSL configuration
BSD 3-Clause "New" or "Revised" License
1.3k stars 132 forks source link

Building nginx 1.11.1 fails #41

Open HepplerDotNet opened 8 years ago

HepplerDotNet commented 8 years ago

Tried to build nginx 1.11.1 and got this error:

src/http/modules/ngx_http_ssl_module.c: In function »ngx_http_ssl_npn_advertised«:
src/http/modules/ngx_http_ssl_module.c:480:5: Error: expected expression before »}« token

Seems something is wrong around nginx__http2_spdy.patch line 231.

HansVanEijsden commented 8 years ago

Hmmmm... an error in NPN. Something tells me it has to do with OpenSSL. OpenSSL supports NPN since version 1.0.2. Please check if you compile nginx with OpensSSL 1.0.2.

I use --with-openssl=/usr/local/src/openssl-1.0.2h --with-openssl-opt="enable-ec_nistp_64_gcc_128 threads".

v998 commented 8 years ago

well.. NPN is supported in OpenSSL since 1.0.1, and ALPN is supported since 1.0.2..

HansVanEijsden commented 8 years ago

@v998 ah, you're right. My mistake, it's early here.. 😉

HepplerDotNet commented 8 years ago

I used OpenSSL 1.0.2g with this:

patch -p1 < openssl__chacha20_poly1305_draft_and_rfc_ossl102g.patch

./config threads shared enable-ec_nistp_64_gcc_128 -Wl,-rpath=/opt/lib -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM

make depend

And then configured nginx after applying nginxdynamic_tls_records.patch and nginxhttp2_spdy.patch

./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-file-aio --with-ipv6 --with-openssl=/opt/lib/openssl-1.0.2h --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic'
v998 commented 8 years ago

Maybe using Nginx 1.11.1 is the reason for the error... this patch is made for 1.9.7 see comments in https://github.com/cloudflare/sslconfig/commit/e384008e0e0d1fd27f201979d40055a6b4f619e6

HansVanEijsden commented 8 years ago

@v998 that's strange, I use the patch successfully with 1.11.1. Also with openssl__chacha20_poly1305_draft_and_rfc_ossl102g.patch, but with a different way of preparing OpenSSL:

CFLAGS="-O3 -march=native" CXXFLAGS="-O3 -march=native" ./config enable-ec_nistp_64_gcc_128 threads shared zlib-dynamic -m64 make depend

And indeed, also with nginxdynamic_tls_records.patch and nginxhttp2_spdy.patch. So, it should work.

uname -a: Linux vps 4.5.0-0.bpo.2-amd64 #1 SMP Debian 4.5.4-1~bpo8+1 (2016-05-13) x86_64 GNU/Linux

gcc version 4.9.2 (Debian 4.9.2-10).

My complete nginx configure: ./configure --prefix=/opt/nginx --user=www-data --group=www-data --add-module=/usr/local/src/ngx_brotli_module --with-http_spdy_module --with-http_v2_module --with-http_ssl_module --with-openssl=/usr/local/src/openssl-1.0.2h --with-openssl-opt="enable-ec_nistp_64_gcc_128 threads" --with-md5=/usr/local/src/openssl-1.0.2h --with-md5-asm --with-sha1=/usr/local/src/openssl-1.0.2h --with-sha1-asm --with-pcre-jit --with-file-aio --with-http_flv_module --with-http_geoip_module --with-http_mp4_module --with-http_realip_module --with-http_stub_status_module --with-threads --with-ipv6 --add-module=/usr/local/src/headers-more-nginx-module --add-module=/usr/local/src/echo-nginx-module --add-module=/usr/local/src/ngx_http_substitutions_filter_module --add-module=/usr/local/src/srcache-nginx-module --add-module=/usr/local/src/redis2-nginx-module --add-module=/usr/local/src/ngx_http_redis-0.3.8 --add-module=/usr/local/src/ngx_devel_kit --add-module=/usr/local/src/set-misc-nginx-module --with-cc-opt="-DTCP_FASTOPEN=23 -O3 -march=native -flto" --with-ld-opt="-DTCP_FASTOPEN=23 -O3 -march=native -flto"

v998 commented 8 years ago

@PatrickHeppler upload your patched src/http/modules/ngx_http_ssl_module.c

v998 commented 8 years ago

@PatrickHeppler and try add also --with-http_spdy_module to your configure script..

HepplerDotNet commented 8 years ago

I thought SPDY is patched into http2 module so I skipped --with-http_spdy_module. Tried both now and still the same error. Also tried the config of OpenSSL from @HansVanEijsden

HepplerDotNet commented 8 years ago

@v998 here is the ngx_http_ssl_module.c https://gist.github.com/PatrickHeppler/985000fa1f54a6780ad98598020ac3ec

Error says Line 480

HepplerDotNet commented 8 years ago

Just tried the same procedure with nginx 1.9.7 and it works. So the nginx__http2_spdy.patch seems not ready for nginx 1.11.1

uname -a Linux ip-172-31-31-180.eu-west-1.compute.internal 3.10.0-327.18.2.el7.x86_64 #1 SMP Fri Apr 8 05:09:53 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux

HepplerDotNet commented 8 years ago

This patch works: https://gist.github.com/felixbuenemann/44d53b911ebfc2a4ff2b951e49923da8

jamesspi commented 8 years ago

Has a patch been release for 1.11.x by any chance? I'd like to move on from 1.9.15.

Thanks!

HansVanEijsden commented 8 years ago

I use https://raw.githubusercontent.com/felixbuenemann/sslconfig/updated-nginx-1.9.15-spdy-patch/patches/nginx_1_9_15_http2_spdy.patch and it also works on 1.11.3.

But, be careful, as stated by the folks of NGINX:

"Let me explain what cloudflare really did. They took old SPDY module from nginx 1.9.4 that was removed by a good intention and merged it back with all the known problems it had. After nginx 1.9.4 this code was partially rewritten for HTTP/2 and many bugs (including quite serious ones) were fixed in its derivative. These issues remain in the patch since cloudflare haven't changed a line: the code is almost the same as it was right before removing from 1.9.4."

"There are a bunch of known problems with the code you use, some of them can even open a door for DoS attack on your server. Below are the reasons why you probably haven't spotted them yet: The number of clients that use SPDY with the patch (i.e. that support SPDY/3.1, but don't support HTTP/2) is close to zero; There are some issues, but because of lack of suitable monitoring and enough expertise you haven't noticed; You're lucky enough and in your specific configuration it works quite good and nobody tried to attack your server using known problems with the old SPDY module."

Source: https://trac.nginx.org/nginx/ticket/1029