How to install Nginx from source and avoid the OpenSSL Bug ?

[B.R.]

On Wed, Jun 4, 2014 at 3:33 PM, Lukas Tribus <luky-37 at hotmail.com> wrote:

> > How to install Nginx from source and avoid the OpenSSL Bug ?
>
> What openssl bug are you talking about? Debian contains all
> important fixes afaik.
>

​I think 'yarek'​

​ tries to build nginx with a 3rd-party program.
I'd suggest to use either the latest stable (v1.6.0) or mainline (v1.7.1)
source.
v1.4.3 is pretty old now and is deprecated.

Btw, nginx links the OpenSSL library dynamically, so the bug has never lied
inside nginx.
It depends on the version of OpenSSL which has been used to compile nginx
(since using a version other than the one used for compilation at run time
might fail/introduce problems).

 > It seems error comes from :
> > Planned removal of SSL_OP_MSIE_SSLV2_RSA_PADDING breaks dependent
> software
> > if you are using OpenSSL 1.0.2 or higher.
> >
> > Any idea on how do I fix that ?
>
> It was already fixed 9 months ago:
> http://hg.nginx.org/nginx/rev/a73678f5f96f
>
> Use a recent nginx tarball.
>

​'yarek' you could have compared the error message triggered by the source
you were using with the current ngx_event_openssl.c source file
<http://trac.nginx.org/nginx/browser/nginx/src/event/ngx_event_openssl.c>.
You would have seen that the deprecation of the constant you triggered is
handled, by a check for its existence. Lukas has been kind enough to
provide you with the exact commit introducing this change.

​To sump up:
- use recent/supported source <http://nginx.org/en/download.html>
- use an unaffected version of OpenSSL
<https://www.openssl.org/news/secadv_20140407.txt>​ when compiling your
nginx binary. All major distro (including Debian) have fixed their
repositories with corrected versions for a long time now
​
---
*B. R.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20140604/b5a92aa0/attachment.html>