On Sat, Oct 29, 2016 at 11:04:33AM +0300, Christos Trochalakis wrote: > On Tue, Oct 11, 2016 at 10:41:01AM +0300, Christos Trochalakis wrote: > > On Fri, Sep 02, 2016 at 10:52:15PM +0200, Kurt Roeckx wrote: > > > Hi, > > > > > > It seems the version in experimental needs this patch to build > > > nginx itself: > > > http://hg.nginx.org/nginx/rev/1891b2892b68 > > > > > > You might also want this one: > > > http://hg.nginx.org/nginx/rev/3eb1a92a2f05 > > > > > > But then there some files in debian/modules that have minor > > > problems. > > > > > > For nginx-lua see: > > > https://github.com/openresty/lua-nginx-module/pull/761 > > > > > > nginx-upstream-fair also has a problem with the reference > > > counters. > > > > > > > > > Kurt > > > > > > > To recap, the following patches are needed to compile nginx stable (1.10.1) > > against > > OpenSSL 1.1.0, note that the situation is a bit different than > > experimental, we build > > 1.11.x releases there.: > > > > nginx: backport "SSL: adopted session ticket handling for OpenSSL 1.1.0." > > (3eb1a92a2f05) > > nginx: backport "SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in > > OpenSSL 1.1.0." (1891b2892b68) > > upstream-fair: https://github.com/gnosek/nginx-upstream-fair/pull/22 (not > > merged upstream) > > nginx-lua: https://github.com/openresty/lua-nginx-module/pull/761 (not > > merged upstream) > > > > We should also fix ngx_ssl_dhparam() by either: > > > > nginx: backport "SSL: removed default DH parameters" (1aa9650a8154) > > or > > by applying the user patch > > https://trac.nginx.org/nginx/attachment/ticket/860/nginx-openssl110pre5.patch > > which is less intrusive and is what a user expects from nginx 1.10 (1.11 > > dropped default DH params). See also my latest comment (#14) & reply on > > https://trac.nginx.org/nginx/attachment/ticket/860. > > > > Pending > > ======= > > > > Lua v0.10.6 introduces a new regression as reported in: > > https://github.com/openresty/lua-nginx-module/issues/757#issuecomment-247567447 > > > > Kurt, can you evaluate the patch regarding ngx_ssl_dhparam and help us with > > the > > lua v0.10.6 issue? > > We have some good news, nginx 1.10.2 includes all the changes needed for > building against OpenSSL 1.1.0. > > Modules: > upstream-fair: https://github.com/gnosek/nginx-upstream-fair/pull/22 > nginx-lua: https://github.com/openresty/lua-nginx-module/pull/761 + > https://github.com/wikimedia/operations-software-nginx/commit/e6785d912c992cae676593a8bd266e8c486b098d > > I am not sure if the first lua patch is safe (regarding the > "ssl_conn->tlsext_status_expected = 1;" removal). > > I have forced-pushed a new stretch-openssl-1.1 that builds successfully. >
I had a quick look at the patch from https://trac.nginx.org/nginx/attachment/ticket/860/nginx-openssl110pre5.patch Not having seen the full source, I think this is wrong: DH_free(dh); +#if OPENSSL_VERSION_NUMBER >= 0x10100005L + BN_free(p); + BN_free(g); +#endif If DH_set0_pqg() has been succesfully called with p and g, dh is now the owner of those pointers. Calling DH_free(dh) will free them, and so you'll have a double free. Kurt
