Nginx HTTP/2 module (ALPN) TLS on RHEL 7.*

rikske at deds.nl rikske at deds.nl
Mon Sep 28 18:13:08 UTC 2015


Hi,

I don't know.
Can't find anything about Nginx, OpenSSL ALPN and/or NPN in the logs.

HTTP/2 seems to be running fine here according to my testing tools.
But there is nothing about ALPN or NPN.

The only thing i can find in there code is that the Nginx should warn the
user in case, the enduser doesn't provide a valid OpenSSL.
I can not reproduce that warning.

So my question is still applicable.

Is the Nginx HTTP/2 module using (ALPN) TLS on RHEL 7.*?

Perhaps a Nginx developer can take a look at it?

Thanks,

+    if (lsopt->http2 && lsopt->ssl) {
         ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
-                           "nginx was built without OpenSSL ALPN or NPN "
-                           "support, SPDY is not enabled for %s",
lsopt->addr);
+                           "nginx was built with OpenSSL that lacks ALPN "
+                           "and NPN support, HTTP/2 is not enabled for %s",
+                           lsopt->addr);
     }


> Like this?
>
> nginx version: nginx/1.9.5
> built by gcc 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC)
> built with OpenSSL 1.0.2d-fips 9 Jul 2015
> TLS SNI support enabled
> configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
> --conf-path=/etc/nginx/nginx.conf
> --error-log-path=/var/log/nginx/error.log
> --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid
> --lock-path=/var/run/nginx.lock
> --http-client-body-temp-path=/var/cache/nginx/client_temp
> --http-proxy-temp-path=/var/cache/nginx/proxy_temp
> --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
> --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
> --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx
> --group=nginx --with-http_ssl_module --with-http_realip_module
> --with-http_addition_module --with-http_sub_module
> --with-http_dav_module --with-http_flv_module --with-http_mp4_module
> --with-http_gunzip_module --with-http_v2_module
> --with-http_image_filter_module --with-http_gzip_static_module
> --with-http_random_index_module --with-http_secure_link_module
> --with-http_stub_status_module --with-mail --with-mail_ssl_module
> --with-file-aio --with-ipv6 --with-cc-opt='-O2 -g -pipe -Wall
> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
> --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic'
>
> Then how to test if I am already using APLN ? :)
>
> On 09/28/2015 10:15 PM, rikske at deds.nl wrote:
>> Hi,
>>
>> So what you're saying.
>>
>> Nginx HTTP/2 module won't work on RHEL 7.1 with (ALPN) TLS,
>> until you are using OpenSSL version 1.0.2 on RHEL 7.1 in any manner
>> whatsoever?
>>
>> Can anyone confirm this?
>>
>> Thanks,
>>
>> Regards,
>>
>> Rik Ske
>>
>>> Hello!
>>>
>>> On 09/28/2015 08:40 PM, rikske at deds.nl wrote:
>>>> Dear,
>>>>
>>>> Does the Nginx HTTP/2 module work on RHEL 7.1 with (ALPN) TLS?
>>>>
>>>> It seems like the HTTP/2 module is enabled by default in your RHEL 7.1
>>>> based rpm and srpm.
>>>>
>>>> Your Nginx website writes about:
>>>>
>>>> "Note that accepting HTTP/2 connections over TLS requires the
>>>> “Application-Layer Protocol Negotiation” (ALPN) TLS extension support,
>>>> which is available only since OpenSSL version 1.0.2. Using the “Next
>>>> Protocol Negotiation” (NPN) TLS extension for this purpose
>>>> (available since OpenSSL version 1.0.1) is not guaranteed. "
>>>>
>>>> RHEL 7.1 is using OpenSSL 1.0.1e. with a whole bunch of patches and
>>>> backports.
>>>>
>>>> Can't find anything in the changelog of RHEL 7.1's OpenSSL about ALPN.
>>>> The only thing i can find is "Support for Application Layer Protocol
>>>> Negotiation (ALPN) has been added." in RHEL's GnuTLS.
>>>
>>> Yes, RHEL using openssl 1.0.1e-42. But, I've compiled using openssl
>>> 1.0.2d + crypto-policies under centos7. And it was success deployed on
>>> my sandbox
>>>
>>> The rpm was compiled on fedora22, and ported to el7 using mock.
>>>
>>> https://gitlab.com/antituhan/rpms/tree/master.
>>> $ openssl version
>>> OpenSSL 1.0.2d-fips 9 Jul 2015
>>> $ uname -a
>>> Linux <removed> 3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Sep 15 15:05:51
>>> UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>>>
>>> Enjoy.
>>>
>>>
>>>>
>>>> Thanks,
>>>>
>>>> Regards,
>>>>
>>>> Rik Ske
>>>>
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx at nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>>
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx



More information about the nginx mailing list