Issues building Nginx using boringssl

Tue Feb 20 08:29:03 UTC 2024

Hello,
As you can see, boringssl's libcrypto.a and libssl.a are in two separate
directories, as shown below:
root at VM-8-12-debian ~/boringssl/build # ls
bssl CMakeCache.txt cmake_install.cmake crypto_test decrepit
embed_test_data_args.txt libpki.a pki_test ssl_test urandom_test
build.ninja CMakeFiles crypto crypto_test_data.cc decrepit_test
libboringssl_gtest.a libtest_support_lib.a ssl tool util
root at VM-8-12-debian ~/boringssl/build # cd crypto
root at VM-8-12-debian ~/boringssl/build/crypto # ls
chacha cipher_extra CMakeFiles cmake_install.cmake crypto_test err_data.c
fipsmodule libcrypto.a test urandom_test
root at VM-8-12-debian ~/boringssl/build/crypto # cd ..
root at VM-8-12-debian ~/boringssl/build # cd ssl
root at VM-8-12-debian ~/boringssl/build/ssl # ls
CMakeFiles cmake_install.cmake libssl.a ssl_test test

I tried using absolute paths and adding
-Wl,-rpath=/root/boringssl/build/ssl
-Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags but this
Doesn't play any role.

--
Best Regards,
Jinze Yang

-------------------------------------------------------
> On Tue, Feb 20, 2024 at 12:23 AM 杨金泽 <rttwyjz at gmail.com> wrote:
> >
> > I encountered the following error when using boringssl to build
> Nginx:
> > checking for OpenSSL library ... not found
> > checking for OpenSSL library in /usr/local/ ... not found
> > checking for OpenSSL library in /usr/pkg/ ... not found
> > checking for OpenSSL library in /opt/local/ ... not found
> > ./auto/configure: error: SSL modules require the OpenSSL library.
> > You can either do not enable the modules, or install the OpenSSL
> library
> > into the system, or build the OpenSSL library statically from the
> source
> > with nginx by using --with-openssl=<path> option.
> >
> > At first I thought it was caused by openssl not existing, but when I
> ran openssl version -a, everything was normal:
> > root at iZ2hmeokcpbj42Z ~/nginx # openssl version -a
> > OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)
> > built on: Mon Oct 23 17:52:22 2023 UTC
> > platform: debian-amd64
> > options: bn(64,64)
> > compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall
> -fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2
> -Wa,--noexecstack -g -O2 -ffile-prefix-map=
> /build/reproducible-path/openssl-3.0.11=. -fstack-protector-strong
> -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN
> -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time
> -D_FORTIFY_SOURCE=2
> > OPENSSLDIR: "/usr/lib/ssl"
> > ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-3"
> > MODULESDIR: "/usr/lib/x86_64-linux-gnu/ossl-modules"
> > Seeding source: os-specific
> > CPUINFO: OPENSSL_ia32cap=0xfffa32035f8bffff:0xd01e4fbb
> >
> > Later my friend and I discovered that the latest boringssl
> compatible OpenSSL version seems to have been upgraded to 3.2.x, but I
> am not sure if this is the problem. The final solution was to switch
> to https://github.com/google/boringssl
> /commit/c39e6cd9ec5acebb6de2adffc03cfe03b07f08ab this commit.But I
> don't think switching to a previous commit to build is a perfect
> solution, so I'd like to ask for some help.
> >
> > My build steps are as follows:
> > apt update
> > apt install build-essential ca-certificates zlib1g-dev libpcre3
> libpcre3-dev tar unzip libssl-dev wget curl git cmake ninja-build
> mercurial libunwind-dev pkg-config
> >
> > git clone https://github.com/google/boringssl.git
> > cd boringssl
> > mkdir build
> > cd build
> > cmake -GNinja ..
> > ninja
> > cd ../..
> >
> > git clone --recurse-submodules -j8
> https://github.com/google/ngx_brotli
> > cd ngx_brotli/deps/brotli
> > mkdir out && cd out
> > cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF
> -DCMAKE_C_FLAGS="-Ofast -m64 -march=native -mtune=native -flto
> -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections"
> -DCMAKE_CXX_FLAGS ="-Ofast -m64 -march=native -mtune=native -flto
> -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections"
> -DCMAKE_INSTALL_PREFIX=./installed ..
> > cmake --build . --config Release --target brotlienc
> > cd ../../../..
> >
> > hg clone https://hg.nginx.org/nginx
> > cd nginx
> > ./auto/configure --user=www --group=www --prefix=/www/server/nginx
> --with-pcre --add-module=/root/ngx_brotli --with-http_v2_module
> --with-stream --with-stream_ssl_module --with-http_ssl_module
> --with-http_gzip_static_module --with-http_gunzip_module
> --with-http_sub_module --with-http_flv_module
> --with-http_addition_module --with-http_realip_module
> --with-http_mp4_module --with-ld -opt=-Wl,-E --with-cc-opt=-Wno-error
> --with-ld-opt=-ljemalloc --with-http_dav_module --with-http_v3_module
> --with-cc-opt=-I ../boringssl/include
> --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto'
> > make
> > make install
> >
> > System information：
> > checking for OS
> > + Linux 6.1.0-18-amd64 x86_64
> > checking for C compiler ... found
> > + using GNU C compiler
> > + gcc version: 12.2.0 (Debian 12.2.0-14)
>
> This does not look correct to me, based on my knowledge of OpenSSL. (I
> don't have experience with BoringSSL):
>
>     --with-ld-opt='-L../boringssl/build/ssl
> -L../boringssl/build/crypto'
>
> You are trying to link two OpenSSL-compatible libraries. They are
> libcrypto.{a|so}, and libssl.{a|so}. Those artifacts are usually
> placed in a  lib/ directory, not in separate ssl/ and crypto/
> directories. (Two separate directories may be a BoringSSL-ism).
>
> So I believe the proper flag would be similar to:
>
>     --with-ld-opt='-L../boringssl/build/lib
>
> You should also consider using the the following option so the library
> used at runtime is the same library used at compile and link time:
>
>     -Wl,-rpath=../boringssl/build/lib -Wl,--enable-new-dtags
>
> But you should change ../boringssl/build/lib to the full path, and not
> use the relative path.
>
> Also see
> <https://wiki.openssl.org/index.php/Compilation_and_Installation#Using
> _RPATHs>
> or the BoringSSL equivalent document.
>
> Jeff
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20240220/d119ea62/attachment.htm>