Как собрать nginx с кастомной версией openssl + fips

Alex Domoradov alex.hha at gmail.com
Mon Jan 5 22:28:38 UTC 2015


Собственно сабж, есть CentOS 5.11. Никак не получается собрать с fips

# ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
--conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log
--http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid
--lock-path=/var/run/nginx.lock
--http-client-body-temp-path=/var/cache/nginx/client_temp
--http-proxy-temp-path=/var/cache/nginx/proxy_temp
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
--http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx
--with-http_ssl_module --with-http_realip_module
--with-http_addition_module --with-http_sub_module
--with-http_gunzip_module --with-http_gzip_static_module
--with-http_random_index_module --with-http_secure_link_module
--with-http_stub_status_module --with-mail --with-mail_ssl_module
--with-file-aio --with-openssl=/usr/src/redhat/BUILD/openssl-1.0.1j
--with-openssl-opt="zlib enable-camellia enable-seed enable-tlsext
enable-rfc3779 enable-cms enable-md2 no-mdc2 no-rc5 no-ec2m no-gost no-srp
fips"

# make
...
...
...
make[3]: Entering directory `/usr/src/redhat/BUILD/openssl-1.0.1j/test'
make[3]: Nothing to be done for `generate'.
make[3]: Leaving directory `/usr/src/redhat/BUILD/openssl-1.0.1j/test'
make[2]: Leaving directory `/usr/src/redhat/BUILD/openssl-1.0.1j'

Since you've disabled or enabled at least one algorithm, you need to do
the following before building:

        make depend

Configured for linux-x86_64.
make[2]: Entering directory `/usr/src/redhat/BUILD/openssl-1.0.1j'
making all in crypto...
make[3]: Entering directory `/usr/src/redhat/BUILD/openssl-1.0.1j/crypto'
( echo "#ifndef MK1MF_BUILD"; \
        echo '  /* auto-generated by crypto/Makefile for crypto/cversion.c
*/'; \
        echo '  #define CFLAGS "gcc -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H
-Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m
-I/usr/local/ssl/fips-2.0/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
-DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM"'; \
        echo '  #define PLATFORM "linux-x86_64"'; \
        echo "  #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \
        echo '#endif' ) >buildinf.h
gcc -I. -I.. -I../include  -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H
-Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m
-I/usr/local/ssl/fips-2.0/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
-DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
-c -o cryptlib.o cryptlib.c
cryptlib.c: In function ‘CRYPTO_set_locking_callback’:
cryptlib.c:415: warning: implicit declaration of function ‘OPENSSL_init’
cryptlib.c: At top level:
cryptlib.c:670: error: conflicting types for ‘OPENSSL_ia32cap_loc’
../include/openssl/crypto.h:561: error: previous declaration of
‘OPENSSL_ia32cap_loc’ was here
cryptlib.c: In function ‘OPENSSL_ia32cap_loc’:
cryptlib.c:677: warning: dereferencing type-punned pointer will break
strict-aliasing rules
make[3]: *** [cryptlib.o] Error 1
make[3]: Leaving directory `/usr/src/redhat/BUILD/openssl-1.0.1j/crypto'
make[2]: *** [build_crypto] Error 1
make[2]: Leaving directory `/usr/src/redhat/BUILD/openssl-1.0.1j'
make[1]: ***
[/usr/src/redhat/BUILD/openssl-1.0.1j/.openssl/include/openssl/ssl.h] Error
2
make[1]: Leaving directory `/usr/src/redhat/BUILD/nginx-1.4.7'
make: *** [build] Error 2

если убрать fips из --with-openssl-opt, то все собирается корректно.

P.S.
nginx-1.4.7
openssl-1.0.1j
openssl-fips-2.0.9
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-ru/attachments/20150106/915b79de/attachment.html>


Подробная информация о списке рассылки nginx-ru