New module: Nginx OpenSSL version check

Phil Pennock nginx+phil at spodhuis.org
Wed Apr 9 02:11:31 UTC 2014


On behalf of my employer, Apcera Inc, we are delighted to make available
a new Nginx module, providing for a start-up OpenSSL version check for
those who wish for a little more belt&braces protection.

https://github.com/apcera/nginx-openssl-version

The README.md file explains the rationale.  The simplest configuration
is to make no configuration change, so that you just get a log message
to the error log at notice level, at start-up, stating which version of
OpenSSL the code was built against and which was found at runtime.

The most complicated configuration is to add one line to your
configuration in the global section:

    openssl_version_minimum 1.0.1g;

With this, if the runtime library loaded in is not at least of this
level, then there is a fatal configuration error and nginx will refuse
to start.

Dedicated to all those who have ever had to debug interactions between
setcap for net-bind privilege marked on a binary, the runtime linker,
concepts of what is or is not setuid and what is or is not safe in such
a situation and finding that not even the runtime linker will tell you
honestly which version of the library will _actually_ be used, only
lsof(8) will, by showing which file was _actually_ mmap'd into your
address space.  Like many others, my Monday night was _fun_.

Regards, and may you sleep more soundly,
-Phil Pennock, Apcera Inc.



More information about the nginx mailing list