embhorn
commented
9 months ago Hi @blunext
Please try with wolfSSL v5.6.4. Support for Nginx 1.25 was added in this PR: https://github.com/wolfSSL/wolfssl/pull/6515
Thanks, Eric - wolfSSL Support
Closed blunext closed 8 months ago
embhorn
commented
9 months ago Hi @blunext
Please try with wolfSSL v5.6.4. Support for Nginx 1.25 was added in this PR: https://github.com/wolfSSL/wolfssl/pull/6515
Thanks, Eric - wolfSSL Support
blunext
commented
9 months ago Thank you for the quick response. Does this mean that Nginx v1.24.0 and v1.25.0 are only supported by WolfSSL v5.6.4?
We managed to compile with WolfSSL v5.6.4 and Nginx v1.25.0, but with these versions, we're encountering handshake issues with some older devices that don't send the supported_groups and ec_point_format extensions in the ClientHello message. These devices are able to connect when we use WolfSSL v5.6.3 and Nginx v1.24.6, but I was hoping to upgrade Nginx to the latest possible version.
julek-wolfssl
commented
9 months ago Hi @blunext,
yes Nginx versions 1.24.0 and 1.25.0 are only supported from wolfSSL release 5.6.4. Can you explain what exactly is the issue you are seeing with extensions from older devices?
Juliusz
osevan
commented
8 months ago I have a question :
0 rtt with quic support is possible with wolfssl latest and nginx?
julek-wolfssl
commented
8 months ago Hi @osevan, wolfSSL does support QUIC TLS API but we haven't tested it with nginx. We will test it for the next nginx release that we port. Sincerely Juliusz
osevan
commented
8 months ago Hi @osevan, wolfSSL does support QUIC TLS API but we haven't tested it with nginx. We will test it for the next nginx release that we port. Sincerely Juliusz
We need it as fast as possible :-)
Big thx
julek-wolfssl
commented
8 months ago @osevan please write to us at support@wolfssl.com to submit a feature request and to discuss ways to expedite this. Sincerely Juliusz
But all compile with WolfSSL 5.6.4.
The log:
0.608 --2023-12-07 16:32:31-- https://raw.githubusercontent.com/wolfSSL/wolfssl-nginx/master/nginx-1.25.0-wolfssl.patch 0.636 Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.110.133, 185.199.109.133, ... 0.637 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected. 0.755 HTTP request sent, awaiting response... 200 OK 0.814 Length: 9355 (9.1K) [text/plain] 0.815 Saving to: 'nginx-1.25.0-wolfssl.patch' 0.816 0.816 0K ......... 100% 4.43M=0.002s 0.817 0.817 2023-12-07 16:32:31 (4.43 MB/s) - 'nginx-1.25.0-wolfssl.patch' saved [9355/9355] 0.817 0.820 patching file auto/lib/openssl/conf 0.820 patching file auto/options 0.821 patching file src/event/ngx_event_openssl.c 0.823 patching file src/event/ngx_event_openssl.h 0.823 patching file src/http/modules/ngx_http_ssl_module.c 0.824 patching file src/mail/ngx_mail_ssl_module.c 0.825 patching file src/stream/ngx_stream_ssl_module.c 0.892 checking for OS 0.894 + Linux 6.1.57-0-virt x86_64 0.894 checking for C compiler ... found 0.935 + using GNU C compiler 0.937 + gcc version: 12.2.1 20220924 (Alpine 12.2.1_git20220924-r10) 0.938 checking for gcc -pipe switch ... found 0.972 checking for -Wl,-E switch ... found 1.009 checking for gcc builtin atomic operations ... found 1.051 checking for C99 variadic macros ... found 1.094 checking for gcc variadic macros ... found 1.136 checking for gcc builtin 64 bit byteswap ... found 1.176 checking for unistd.h ... found 1.213 checking for inttypes.h ... found 1.251 checking for limits.h ... found 1.287 checking for sys/filio.h ... not found 1.302 checking for sys/param.h ... found 1.340 checking for sys/mount.h ... found 1.379 checking for sys/statvfs.h ... found 1.419 checking for crypt.h ... found 1.458 checking for Linux specific features 1.460 checking for epoll ... found 1.505 checking for EPOLLRDHUP ... found 1.548 checking for EPOLLEXCLUSIVE ... found 1.590 checking for eventfd() ... found 1.633 checking for O_PATH ... found 1.675 checking for sendfile() ... found 1.717 checking for sendfile64() ... found 1.759 checking for sys/prctl.h ... found 1.798 checking for prctl(PR_SET_DUMPABLE) ... found 1.840 checking for prctl(PR_SET_KEEPCAPS) ... found 1.882 checking for capabilities ... found 1.924 checking for crypt_r() ... found 1.964 checking for sys/vfs.h ... found 2.004 checking for BPF sockhash ... found 2.058 checking for SO_COOKIE ... found 2.101 checking for UDP_SEGMENT ... found 2.145 checking for poll() ... found 2.183 checking for /dev/poll ... not found 2.203 checking for kqueue ... not found 2.223 checking for crypt() ... found 2.262 checking for F_READAHEAD ... not found 2.283 checking for posix_fadvise() ... found 2.324 checking for O_DIRECT ... found 2.365 checking for F_NOCACHE ... not found 2.386 checking for directio() ... not found 2.407 checking for statfs() ... found 2.450 checking for statvfs() ... found 2.492 checking for dlopen() ... found 2.532 checking for sched_yield() ... found 2.573 checking for sched_setaffinity() ... found 2.615 checking for SO_SETFIB ... not found 2.636 checking for SO_REUSEPORT ... found 2.675 checking for SO_ACCEPTFILTER ... not found 2.694 checking for SO_BINDANY ... not found 2.715 checking for IP_TRANSPARENT ... found 2.757 checking for IP_BINDANY ... not found 2.780 checking for IP_BIND_ADDRESS_NO_PORT ... found 2.824 checking for IP_RECVDSTADDR ... not found 2.848 checking for IP_SENDSRCADDR ... not found 2.872 checking for IP_PKTINFO ... found 2.917 checking for IPV6_RECVPKTINFO ... found 2.960 checking for IP_MTU_DISCOVER ... found 3.003 checking for IPV6_MTU_DISCOVER ... found 3.047 checking for IP_DONTFRAG ... not found 3.071 checking for IPV6_DONTFRAG ... found 3.114 checking for TCP_DEFER_ACCEPT ... found 3.159 checking for TCP_KEEPIDLE ... found 3.203 checking for TCP_FASTOPEN ... found 3.246 checking for TCP_INFO ... found 3.289 checking for accept4() ... found 3.332 checking for kqueue AIO support ... not found 3.355 checking for Linux AIO support ... found 3.403 checking for int size ... 4 bytes 3.447 checking for long size ... 8 bytes 3.491 checking for long long size ... 8 bytes 3.536 checking for void * size ... 8 bytes 3.580 checking for uint32_t ... found 3.622 checking for uint64_t ... found 3.663 checking for sig_atomic_t ... found 3.704 checking for sig_atomic_t size ... 4 bytes 3.749 checking for socklen_t ... found 3.790 checking for in_addr_t ... found 3.832 checking for in_port_t ... found 3.874 checking for rlim_t ... found 3.915 checking for uintptr_t ... uintptr_t found 3.952 checking for system byte ordering ... little endian 3.988 checking for size_t size ... 8 bytes 4.034 checking for off_t size ... 8 bytes 4.079 checking for time_t size ... 8 bytes 4.126 checking for AF_INET6 ... found 4.168 checking for setproctitle() ... not found 4.211 checking for pread() ... found 4.251 checking for pwrite() ... found 4.291 checking for pwritev() ... found 4.330 checking for strerrordesc_np() ... not found 4.372 checking for sys_nerr ... not found 4.395 checking for _sys_nerr ... not found 4.419 checking for localtime_r() ... found 4.460 checking for clock_gettime(CLOCK_MONOTONIC) ... found 4.502 checking for posix_memalign() ... found 4.544 checking for memalign() ... found 4.585 checking for mmap(MAP_ANON|MAP_SHARED) ... found 4.626 checking for mmap("/dev/zero", MAP_SHARED) ... found 4.669 checking for System V shared memory ... found 4.711 checking for POSIX semaphores ... found 4.754 checking for struct msghdr.msg_control ... found 4.795 checking for ioctl(FIONBIO) ... found 4.837 checking for ioctl(FIONREAD) ... found 4.878 checking for struct tm.tm_gmtoff ... found 4.922 checking for struct dirent.d_namlen ... not found 4.945 checking for struct dirent.d_type ... found 4.988 checking for sysconf(_SC_NPROCESSORS_ONLN) ... found 5.029 checking for sysconf(_SC_LEVEL1_DCACHE_LINESIZE) ... not found 5.053 checking for openat(), fstatat() ... found 5.094 checking for getaddrinfo() ... found 5.179 checking for PCRE2 library ... not found 5.195 checking for PCRE library ... found 5.240 checking for PCRE JIT support ... found 5.286 checking for wolfSSL library in /usr/local ... found 5.405 checking for zlib library ... found 5.452 checking for libxslt ... found 5.539 checking for libexslt ... found 5.613 checking for GD library ... found 5.679 checking for GD WebP support ... found 5.746 checking for GeoIP library ... found 5.793 checking for GeoIP IPv6 support ... found 5.850 creating objs/Makefile 6.356 6.356 Configuration summary 6.356 + using threads 6.356 + using system PCRE library 6.356 + using system OpenSSL library 6.356 + using system zlib library 6.356 6.356 nginx path prefix: "/etc/nginx" 6.356 nginx binary file: "/usr/sbin/nginx" 6.356 nginx modules path: "/usr/lib/nginx/modules" 6.356 nginx configuration prefix: "/etc/nginx" 6.356 nginx configuration file: "/etc/nginx/nginx.conf" 6.356 nginx pid file: "/var/run/nginx.pid" 6.356 nginx error log file: "/var/log/nginx/error.log" 6.357 nginx http access log file: "/var/log/nginx/access.log" 6.357 nginx http client request body temporary files: "/var/cache/nginx/client_temp" 6.357 nginx http proxy temporary files: "/var/cache/nginx/proxy_temp" 6.357 nginx http fastcgi temporary files: "/var/cache/nginx/fastcgi_temp" 6.357 nginx http uwsgi temporary files: "/var/cache/nginx/uwsgi_temp" 6.357 nginx http scgi temporary files: "/var/cache/nginx/scgi_temp" 6.357 6.359 make -f objs/Makefile install 6.371 make[1]: Entering directory '/usr/src/nginx-1.25.0' 6.371 cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -DWOLFSSL_NGINX -I src/core -I src/event -I src/event/modules -I src/event/quic -I src/os/unix -I /usr/local/include/wolfssl -I /usr/local/include/wolfssl -I /usr/local/include -I /usr/include/libxml2 -I objs \ 6.371 -o objs/src/core/nginx.o \ 6.371 src/core/nginx.c 6.739 cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -DWOLFSSL_NGINX -I src/core -I src/event -I src/event/modules -I src/event/quic -I src/os/unix -I /usr/local/include/wolfssl -I /usr/local/include/wolfssl -I /usr/local/include -I /usr/include/libxml2 -I objs \ 6.739 -o objs/src/core/ngx_log.o \ 6.739 src/core/ngx_log.c 6.980 cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -DWOLFSSL_NGINX -I src/core -I src/event -I src/event/modules -I src/event/quic -I src/os/unix -I /usr/local/include/wolfssl -I /usr/local/include/wolfssl -I /usr/local/include -I /usr/include/libxml2 -I objs \
...
23.03 -o objs/src/os/unix/ngx_thread_mutex.o \ 23.03 src/os/unix/ngx_thread_mutex.c 23.20 cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -DWOLFSSL_NGINX -I src/core -I src/event -I src/event/modules -I src/event/quic -I src/os/unix -I /usr/local/include/wolfssl -I /usr/local/include/wolfssl -I /usr/local/include -I /usr/include/libxml2 -I objs \ 23.20 -o objs/src/os/unix/ngx_thread_id.o \ 23.20 src/os/unix/ngx_thread_id.c 23.35 cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -DWOLFSSL_NGINX -I src/core -I src/event -I src/event/modules -I src/event/quic -I src/os/unix -I /usr/local/include/wolfssl -I /usr/local/include/wolfssl -I /usr/local/include -I /usr/include/libxml2 -I objs \ 23.35 -o objs/src/event/ngx_event_openssl.o \ 23.35 src/event/ngx_event_openssl.c 23.54 src/event/ngx_event_openssl.c: In function 'ngx_ssl_info_callback': 23.54 src/event/ngx_event_openssl.c:1148:17: error: implicit declaration of function 'SSL_SESSION_set_time'; did you mean 'SSL_SESSION_get_time'? [-Werror=implicit-function-declaration] 23.54 1148 | SSL_SESSION_set_time(sess, now); 23.54 | ^
~~~~~~~ 23.54 | SSL_SESSION_get_time 23.58 src/event/ngx_event_openssl.c: In function 'ngx_ssl_connection_error': 23.59 src/event/ngx_event_openssl.c:3456:21: error: 'SSL_R_BAD_DIGEST_LENGTH' undeclared (first use in this function); did you mean 'SHA3_512_DIGEST_LENGTH'? 23.59 3456 | || n == SSL_R_BAD_DIGEST_LENGTH / 111 / 23.59 | ^~~~~~~ 23.59 | SHA3_512_DIGEST_LENGTH 23.59 src/event/ngx_event_openssl.c:3456:21: note: each undeclared identifier is reported only once for each function it appears in 23.62 src/event/ngx_event_openssl.c:3460:21: error: 'SSL_R_BAD_PACKET_LENGTH' undeclared (first use in this function) 23.62 3460 | || n == SSL_R_BAD_PACKET_LENGTH / 115 / 23.62 | ^~~~~~~ 23.66 src/event/ngx_event_openssl.c:3468:21: error: 'SSL_R_CCS_RECEIVED_EARLY' undeclared (first use in this function) 23.66 3468 | || n == SSL_R_CCS_RECEIVED_EARLY / 133 / 23.66 | ^~~~~~~~ 23.69 src/event/ngx_event_openssl.c:3475:21: error: 'SSL_R_DATA_LENGTH_TOO_LONG' undeclared (first use in this function) 23.69 3475 | || n == SSL_R_DATA_LENGTH_TOO_LONG / 146 / 23.69 | ^~~~~~23.73 src/event/ngx_event_openssl.c:3477:21: error: 'SSL_R_ENCRYPTED_LENGTH_TOO_LONG' undeclared (first use in this function) 23.73 3477 | || n == SSL_R_ENCRYPTED_LENGTH_TOO_LONG / 150 / 23.73 | ^~~~~~~23.76 src/event/ngx_event_openssl.c:3544:21: error: 'SSL_R_BAD_LENGTH' undeclared (first use in this function); did you mean 'SSL_BAD_PATH'? 23.76 3544 | || n == SSL_R_BAD_LENGTH / 271 / 23.76 | ^~~~23.76 | SSL_BAD_PATH 23.79 cc1: all warnings being treated as errors 23.79 make[1]: Leaving directory '/usr/src/nginx-1.25.0' 23.79 make[1]: [objs/Makefile:1014: objs/src/event/ngx_event_openssl.o] Error 1 23.79 make: [Makefile:13: install] Error 2Can you help with this please?