Nginx HTTP/2 module (ALPN) TLS on RHEL 7.*

rikske at deds.nl rikske at deds.nl
Mon Sep 28 18:23:23 UTC 2015


Hello.

I would like to add here that it is important to get an answer.
Google is going to remove SPDY support in Chrome, early 2016.
That is 3 months from now. Moreover, NPN support will also be dropped with
ALPN as its successor.

Since by far the majority of users, use Chrome and Chrome is automatically
upgraded. Its time to take action now and test feature server setting. To
be (near) feature proof.

Thanks,

Regards,

> Hi,
>
> I don't know.
> Can't find anything about Nginx, OpenSSL ALPN and/or NPN in the logs.
>
> HTTP/2 seems to be running fine here according to my testing tools.
> But there is nothing about ALPN or NPN.
>
> The only thing i can find in there code is that the Nginx should warn the
> user in case, the enduser doesn't provide a valid OpenSSL.
> I can not reproduce that warning.
>
> So my question is still applicable.
>
> Is the Nginx HTTP/2 module using (ALPN) TLS on RHEL 7.*?
>
> Perhaps a Nginx developer can take a look at it?
>
> Thanks,
>
> +    if (lsopt->http2 && lsopt->ssl) {
>          ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
> -                           "nginx was built without OpenSSL ALPN or NPN "
> -                           "support, SPDY is not enabled for %s",
> lsopt->addr);
> +                           "nginx was built with OpenSSL that lacks ALPN
> "
> +                           "and NPN support, HTTP/2 is not enabled for
> %s",
> +                           lsopt->addr);
>      }
>
>
>> Like this?
>>
>> nginx version: nginx/1.9.5
>> built by gcc 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC)
>> built with OpenSSL 1.0.2d-fips 9 Jul 2015
>> TLS SNI support enabled
>> configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
>> --conf-path=/etc/nginx/nginx.conf
>> --error-log-path=/var/log/nginx/error.log
>> --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid
>> --lock-path=/var/run/nginx.lock
>> --http-client-body-temp-path=/var/cache/nginx/client_temp
>> --http-proxy-temp-path=/var/cache/nginx/proxy_temp
>> --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
>> --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
>> --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx
>> --group=nginx --with-http_ssl_module --with-http_realip_module
>> --with-http_addition_module --with-http_sub_module
>> --with-http_dav_module --with-http_flv_module --with-http_mp4_module
>> --with-http_gunzip_module --with-http_v2_module
>> --with-http_image_filter_module --with-http_gzip_static_module
>> --with-http_random_index_module --with-http_secure_link_module
>> --with-http_stub_status_module --with-mail --with-mail_ssl_module
>> --with-file-aio --with-ipv6 --with-cc-opt='-O2 -g -pipe -Wall
>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
>> --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic'
>>
>> Then how to test if I am already using APLN ? :)
>>
>> On 09/28/2015 10:15 PM, rikske at deds.nl wrote:
>>> Hi,
>>>
>>> So what you're saying.
>>>
>>> Nginx HTTP/2 module won't work on RHEL 7.1 with (ALPN) TLS,
>>> until you are using OpenSSL version 1.0.2 on RHEL 7.1 in any manner
>>> whatsoever?
>>>
>>> Can anyone confirm this?
>>>
>>> Thanks,
>>>
>>> Regards,
>>>
>>> Rik Ske
>>>
>>>> Hello!
>>>>
>>>> On 09/28/2015 08:40 PM, rikske at deds.nl wrote:
>>>>> Dear,
>>>>>
>>>>> Does the Nginx HTTP/2 module work on RHEL 7.1 with (ALPN) TLS?
>>>>>
>>>>> It seems like the HTTP/2 module is enabled by default in your RHEL
>>>>> 7.1
>>>>> based rpm and srpm.
>>>>>
>>>>> Your Nginx website writes about:
>>>>>
>>>>> "Note that accepting HTTP/2 connections over TLS requires the
>>>>> “Application-Layer Protocol Negotiation” (ALPN) TLS extension
>>>>> support,
>>>>> which is available only since OpenSSL version 1.0.2. Using the “Next
>>>>> Protocol Negotiation” (NPN) TLS extension for this purpose
>>>>> (available since OpenSSL version 1.0.1) is not guaranteed. "
>>>>>
>>>>> RHEL 7.1 is using OpenSSL 1.0.1e. with a whole bunch of patches and
>>>>> backports.
>>>>>
>>>>> Can't find anything in the changelog of RHEL 7.1's OpenSSL about
>>>>> ALPN.
>>>>> The only thing i can find is "Support for Application Layer Protocol
>>>>> Negotiation (ALPN) has been added." in RHEL's GnuTLS.
>>>>
>>>> Yes, RHEL using openssl 1.0.1e-42. But, I've compiled using openssl
>>>> 1.0.2d + crypto-policies under centos7. And it was success deployed on
>>>> my sandbox
>>>>
>>>> The rpm was compiled on fedora22, and ported to el7 using mock.
>>>>
>>>> https://gitlab.com/antituhan/rpms/tree/master.
>>>> $ openssl version
>>>> OpenSSL 1.0.2d-fips 9 Jul 2015
>>>> $ uname -a
>>>> Linux <removed> 3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Sep 15 15:05:51
>>>> UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>>>>
>>>> Enjoy.
>>>>
>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Regards,
>>>>>
>>>>> Rik Ske
>>>>>
>>>>> _______________________________________________
>>>>> nginx mailing list
>>>>> nginx at nginx.org
>>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>>>
>>>>
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx at nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx



More information about the nginx mailing list