Issues building Nginx using boringssl

Jinze YANG rttwyjz at gmail.com
Wed Feb 21 04:24:25 UTC 2024 

Hi Jeff,
You are right, nginx does use different libraries when running, and
after I replaced the original library files, nginx returned to normal.


On Tue, Feb 20, 2024 at 10:19 PM Jinze YANG <rttwyjz at gmail.com
<https://mailman.nginx.org/mailman/listinfo/nginx>> wrote:
>>* After I built libssl as a shared library, the compilation could be completed normally, but I encountered some problems after compilation. The details are as follows:
*>* root at VM-8-12-debian
<https://mailman.nginx.org/mailman/listinfo/nginx>
/www/server/nginx/sbin # ./nginx -t
*>* ./nginx: symbol lookup error: ./nginx: undefined symbol: SSL_library_init
*>* root at VM-8-12-debian
<https://mailman.nginx.org/mailman/listinfo/nginx>
/www/server/nginx/sbin # ./nginx -V
*>* nginx version: nginx/1.25.4
*>* built by gcc 12.2.0 (Debian 12.2.0-14)
*>* built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with
OpenSSL 3.0.11 19 Sep 2023)
*>* TLS SNI support enabled
*>* configure arguments: --user=www --group=www
--prefix=/www/server/nginx --with-pcre --add-module=/root/ngx_brotli
--with-http_v2_module --with-stream --with-stream_ssl_module
--with-http_ssl_module --with-http_gzip_static_module
--with-http_gunzip_module --with-http_sub_module
--with-http_flv_module --with-http_addition_module
--with-http_realip_module --with-http_mp4_module --with-ld-opt=-Wl,-E
--with-cc-opt=-Wno-error --with-ld-opt=-ljemalloc
--with-http_dav_module --with-http_v3_module
--with-cc-opt=-I/root/boringssl/include
--with-ld-opt='-L/root/boringssl/build/ssl
-L/root/boringssl/build/crypto -Wl,-rpath=/root/boringssl/build/ssl
-Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags'
*
This is kind of interesting in a morbid sort of way:

    undefined symbol: SSL_library_init

That's the old way to initialize OpenSSL. It is available in OpenSSL
1.0.2 and below. Does BoringSSL also use it? Also see
<https://wiki.openssl.org/index.php/Library_Initialization>.

Nowadays you should be initializing OpenSSL with OPENSSL_init_ssl()
and possibly OPENSSL_init_crypto(). Does BoringSSL also do it that way
nowadays? Also see
<https://www.openssl.org/docs/manmaster/man3/OPENSSL_init_ssl.html>

To see which libraries nginx is loading, issue the following. You
should see the output detail the libraries you expect from
/root/boringssl/build/ssl/libssl.so and
/root/boringssl/build/crypto/libcrypto.so (my output is from a distro
provided installation):

   $ ldd $(command -v nginx)
       linux-vdso.so.1 (0x00007ffc94bf8000)
       libcrypt.so.2 => /lib64/libcrypt.so.2 (0x00007f05d0e33000)
       libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007f05d0d98000)
       libssl.so.3 => /lib64/libssl.so.3 (0x00007f05d0cf5000)
       libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007f05d0800000)
       libz.so.1 => /lib64/libz.so.1 (0x00007f05d0cdb000)
       libprofiler.so.0 => /lib64/libprofiler.so.0 (0x00007f05d07e8000)
       libc.so.6 => /lib64/libc.so.6 (0x00007f05d0606000)
       libunwind.so.8 => /lib64/libunwind.so.8 (0x00007f05d05ec000)
       libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f05d0200000)
       libm.so.6 => /lib64/libm.so.6 (0x00007f05d050b000)
       libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f05d04e7000)
       /lib64/ld-linux-x86-64.so.2 (0x00007f05d0fda000)

I believe OPENSSL_init_ssl is part of libssl.so. You should be able to
verify the symbol is exported:

   $ nm -D /lib64/libssl.so.3 | grep ' T ' | grep OPENSSL_init
   00000000000309d0 T OPENSSL_init_ssl@@OPENSSL_3.0.0

Grepping for the capital ' T ' is important. It means you are grepping
for symbols that are defined, and not including undefined symbols:

    $ nm -D /lib64/libssl.so.3 | grep OPENSSL_init
                    U OPENSSL_init_crypto at OPENSSL_3.0.0
<https://mailman.nginx.org/mailman/listinfo/nginx>
    00000000000309d0 T OPENSSL_init_ssl@@OPENSSL_3.0.0

And SSL_library_init is not present because my distro provides OpenSSL 3.0:

    $ nm -D /lib64/libssl.so.3 | grep SSL_library_init
    $

So it sounds like BoringSSL is doing something different than modern
OpenSSL. Or you are compiling and then runtime linking against
different versions of the libraries.

Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20240221/379c8f7f/attachment-0001.htm>

More information about the nginx mailing list