Nginx HTTP/2 module (ALPN) TLS on RHEL 7.*

Andrew Hutchings ahutchings at nginx.com
Mon Sep 28 20:47:13 UTC 2015 

Hi,

If you compiled with OpenSSL 1.0.2d then it should have ALPN, otherwise
it will fallback to NPN. One way to test is with OpenSSL 1.0.2d:

(echo | openssl s_client -alpn h2 -connect example.net:443) | grep ALPN

This will respond with something like the following if it is supported:

ALPN protocol: h2

The warning you have flagged is only if OpenSSL doesn't support either
NPN or ALPN. This means HTTP/2 and SPDY support isn't possible at all
(ie. OpenSSL < 1.0.1 or a custom build with NPN/ALPN disabled).

Kind Regards
Andrew

On 28/09/15 19:13, rikske at deds.nl wrote:
> Hi,
> 
> I don't know.
> Can't find anything about Nginx, OpenSSL ALPN and/or NPN in the logs.
> 
> HTTP/2 seems to be running fine here according to my testing tools.
> But there is nothing about ALPN or NPN.
> 
> The only thing i can find in there code is that the Nginx should warn the
> user in case, the enduser doesn't provide a valid OpenSSL.
> I can not reproduce that warning.
> 
> So my question is still applicable.
> 
> Is the Nginx HTTP/2 module using (ALPN) TLS on RHEL 7.*?
> 
> Perhaps a Nginx developer can take a look at it?
> 
> Thanks,
> 
> +    if (lsopt->http2 && lsopt->ssl) {
>          ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
> -                           "nginx was built without OpenSSL ALPN or NPN "
> -                           "support, SPDY is not enabled for %s",
> lsopt->addr);
> +                           "nginx was built with OpenSSL that lacks ALPN "
> +                           "and NPN support, HTTP/2 is not enabled for %s",
> +                           lsopt->addr);
>      }
> 
> 
>> Like this?
>>
>> nginx version: nginx/1.9.5
>> built by gcc 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC)
>> built with OpenSSL 1.0.2d-fips 9 Jul 2015
>> TLS SNI support enabled
>> configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
>> --conf-path=/etc/nginx/nginx.conf
>> --error-log-path=/var/log/nginx/error.log
>> --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid
>> --lock-path=/var/run/nginx.lock
>> --http-client-body-temp-path=/var/cache/nginx/client_temp
>> --http-proxy-temp-path=/var/cache/nginx/proxy_temp
>> --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
>> --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
>> --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx
>> --group=nginx --with-http_ssl_module --with-http_realip_module
>> --with-http_addition_module --with-http_sub_module
>> --with-http_dav_module --with-http_flv_module --with-http_mp4_module
>> --with-http_gunzip_module --with-http_v2_module
>> --with-http_image_filter_module --with-http_gzip_static_module
>> --with-http_random_index_module --with-http_secure_link_module
>> --with-http_stub_status_module --with-mail --with-mail_ssl_module
>> --with-file-aio --with-ipv6 --with-cc-opt='-O2 -g -pipe -Wall
>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
>> --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic'
>>
>> Then how to test if I am already using APLN ? :)
>>
>> On 09/28/2015 10:15 PM, rikske at deds.nl wrote:
>>> Hi,
>>>
>>> So what you're saying.
>>>
>>> Nginx HTTP/2 module won't work on RHEL 7.1 with (ALPN) TLS,
>>> until you are using OpenSSL version 1.0.2 on RHEL 7.1 in any manner
>>> whatsoever?
>>>
>>> Can anyone confirm this?
>>>
>>> Thanks,
>>>
>>> Regards,
>>>
>>> Rik Ske
>>>
>>>> Hello!
>>>>
>>>> On 09/28/2015 08:40 PM, rikske at deds.nl wrote:
>>>>> Dear,
>>>>>
>>>>> Does the Nginx HTTP/2 module work on RHEL 7.1 with (ALPN) TLS?
>>>>>
>>>>> It seems like the HTTP/2 module is enabled by default in your RHEL 7.1
>>>>> based rpm and srpm.
>>>>>
>>>>> Your Nginx website writes about:
>>>>>
>>>>> "Note that accepting HTTP/2 connections over TLS requires the
>>>>> “Application-Layer Protocol Negotiation” (ALPN) TLS extension support,
>>>>> which is available only since OpenSSL version 1.0.2. Using the “Next
>>>>> Protocol Negotiation” (NPN) TLS extension for this purpose
>>>>> (available since OpenSSL version 1.0.1) is not guaranteed. "
>>>>>
>>>>> RHEL 7.1 is using OpenSSL 1.0.1e. with a whole bunch of patches and
>>>>> backports.
>>>>>
>>>>> Can't find anything in the changelog of RHEL 7.1's OpenSSL about ALPN.
>>>>> The only thing i can find is "Support for Application Layer Protocol
>>>>> Negotiation (ALPN) has been added." in RHEL's GnuTLS.
>>>>
>>>> Yes, RHEL using openssl 1.0.1e-42. But, I've compiled using openssl
>>>> 1.0.2d + crypto-policies under centos7. And it was success deployed on
>>>> my sandbox
>>>>
>>>> The rpm was compiled on fedora22, and ported to el7 using mock.
>>>>
>>>> https://gitlab.com/antituhan/rpms/tree/master.
>>>> $ openssl version
>>>> OpenSSL 1.0.2d-fips 9 Jul 2015
>>>> $ uname -a
>>>> Linux <removed> 3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Sep 15 15:05:51
>>>> UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>>>>
>>>> Enjoy.
>>>>
>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Regards,
>>>>>
>>>>> Rik Ske
>>>>>
>>>>> _______________________________________________
>>>>> nginx mailing list
>>>>> nginx at nginx.org
>>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>>>
>>>>
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx at nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
> 

-- 
Andrew Hutchings (LinuxJedi)
Senior Developer Advocate, Nginx Inc.

More information about the nginx mailing list