Issues building Nginx using boringssl

Tue Feb 20 13:12:40 UTC 2024

Hi,

Your boringssl paths look ok.

What's in objs/autoconf.err ?

> On 20 Feb 2024, at 12:29, Jinze YANG <rttwyjz at gmail.com> wrote:
> 
> Hello,
> As you can see, boringssl's libcrypto.a and libssl.a are in two separate directories, as shown below:
> root at VM-8-12-debian ~/boringssl/build # ls
> bssl CMakeCache.txt cmake_install.cmake crypto_test decrepit embed_test_data_args.txt libpki.a pki_test ssl_test urandom_test
> build.ninja CMakeFiles crypto crypto_test_data.cc decrepit_test libboringssl_gtest.a libtest_support_lib.a ssl tool util
> root at VM-8-12-debian ~/boringssl/build # cd crypto
> root at VM-8-12-debian ~/boringssl/build/crypto # ls
> chacha cipher_extra CMakeFiles cmake_install.cmake crypto_test err_data.c fipsmodule libcrypto.a test urandom_test
> root at VM-8-12-debian ~/boringssl/build/crypto # cd ..
> root at VM-8-12-debian ~/boringssl/build # cd ssl
> root at VM-8-12-debian ~/boringssl/build/ssl # ls
> CMakeFiles cmake_install.cmake libssl.a ssl_test test
> 
> I tried using absolute paths and adding -Wl,-rpath=/root/boringssl/build/ssl -Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags but this Doesn't play any role.
> 
> --
> Best Regards,
> Jinze Yang
> 
> -------------------------------------------------------
> > On Tue, Feb 20, 2024 at 12:23 AM 杨金泽 <rttwyjz at gmail.com <mailto:rttwyjz at gmail.com>> wrote:
> > >
> > > I encountered the following error when using boringssl to build
> > Nginx:
> > > checking for OpenSSL library ... not found
> > > checking for OpenSSL library in /usr/local/ ... not found
> > > checking for OpenSSL library in /usr/pkg/ ... not found
> > > checking for OpenSSL library in /opt/local/ ... not found
> > > ./auto/configure: error: SSL modules require the OpenSSL library.
> > > You can either do not enable the modules, or install the OpenSSL
> > library
> > > into the system, or build the OpenSSL library statically from the
> > source
> > > with nginx by using --with-openssl=<path> option.
> > >
> > > At first I thought it was caused by openssl not existing, but when I
> > ran openssl version -a, everything was normal:
> > > root at iZ2hmeokcpbj42Z ~/nginx # openssl version -a
> > > OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)
> > > built on: Mon Oct 23 17:52:22 2023 UTC
> > > platform: debian-amd64
> > > options: bn(64,64)
> > > compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall
> > -fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2
> > -Wa,--noexecstack -g -O2 -ffile-prefix-map=
> > /build/reproducible-path/openssl-3.0.11=. -fstack-protector-strong
> > -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN
> > -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time
> > -D_FORTIFY_SOURCE=2
> > > OPENSSLDIR: "/usr/lib/ssl"
> > > ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-3"
> > > MODULESDIR: "/usr/lib/x86_64-linux-gnu/ossl-modules"
> > > Seeding source: os-specific
> > > CPUINFO: OPENSSL_ia32cap=0xfffa32035f8bffff:0xd01e4fbb
> > >
> > > Later my friend and I discovered that the latest boringssl
> > compatible OpenSSL version seems to have been upgraded to 3.2.x, but I
> > am not sure if this is the problem. The final solution was to switch
> > to https://github.com/google/boringssl
> > /commit/c39e6cd9ec5acebb6de2adffc03cfe03b07f08ab this commit.But I
> > don't think switching to a previous commit to build is a perfect
> > solution, so I'd like to ask for some help.
> > >
> > > My build steps are as follows:
> > > apt update
> > > apt install build-essential ca-certificates zlib1g-dev libpcre3
> > libpcre3-dev tar unzip libssl-dev wget curl git cmake ninja-build
> > mercurial libunwind-dev pkg-config
> > >
> > > git clone https://github.com/google/boringssl.git
> > > cd boringssl
> > > mkdir build
> > > cd build
> > > cmake -GNinja ..
> > > ninja
> > > cd ../..
> > >
> > > git clone --recurse-submodules -j8
> > https://github.com/google/ngx_brotli
> > > cd ngx_brotli/deps/brotli
> > > mkdir out && cd out
> > > cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF
> > -DCMAKE_C_FLAGS="-Ofast -m64 -march=native -mtune=native -flto
> > -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections"
> > -DCMAKE_CXX_FLAGS ="-Ofast -m64 -march=native -mtune=native -flto
> > -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections"
> > -DCMAKE_INSTALL_PREFIX=./installed ..
> > > cmake --build . --config Release --target brotlienc
> > > cd ../../../..
> > >
> > > hg clone https://hg.nginx.org/nginx
> > > cd nginx
> > > ./auto/configure --user=www --group=www --prefix=/www/server/nginx
> > --with-pcre --add-module=/root/ngx_brotli --with-http_v2_module
> > --with-stream --with-stream_ssl_module --with-http_ssl_module
> > --with-http_gzip_static_module --with-http_gunzip_module
> > --with-http_sub_module --with-http_flv_module
> > --with-http_addition_module --with-http_realip_module
> > --with-http_mp4_module --with-ld -opt=-Wl,-E --with-cc-opt=-Wno-error
> > --with-ld-opt=-ljemalloc --with-http_dav_module --with-http_v3_module
> > --with-cc-opt=-I ../boringssl/include
> > --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto'
> > > make
> > > make install
> > >
> > > System information：
> > > checking for OS
> > > + Linux 6.1.0-18-amd64 x86_64
> > > checking for C compiler ... found
> > > + using GNU C compiler
> > > + gcc version: 12.2.0 (Debian 12.2.0-14)
> > 
> > This does not look correct to me, based on my knowledge of OpenSSL. (I
> > don't have experience with BoringSSL):
> > 
> >     --with-ld-opt='-L../boringssl/build/ssl
> > -L../boringssl/build/crypto'
> > 
> > You are trying to link two OpenSSL-compatible libraries. They are
> > libcrypto.{a|so}, and libssl.{a|so}. Those artifacts are usually
> > placed in a  lib/ directory, not in separate ssl/ and crypto/
> > directories. (Two separate directories may be a BoringSSL-ism).
> > 
> > So I believe the proper flag would be similar to:
> > 
> >     --with-ld-opt='-L../boringssl/build/lib
> > 
> > You should also consider using the the following option so the library
> > used at runtime is the same library used at compile and link time:
> > 
> >     -Wl,-rpath=../boringssl/build/lib -Wl,--enable-new-dtags
> > 
> > But you should change ../boringssl/build/lib to the full path, and not
> > use the relative path.
> > 
> > Also see
> > <https://wiki.openssl.org/index.php/Compilation_and_Installation#Using
> > _RPATHs>
> > or the BoringSSL equivalent document.
> > 
> > Jeff
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org <mailto:nginx at nginx.org>
> > https://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx

----
Roman Arutyunyan
arut at nginx.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20240220/c3991307/attachment.htm>