Nginx HTTP/2 module (ALPN) TLS on RHEL 7.*

rikske at deds.nl rikske at deds.nl
Wed Sep 30 12:45:57 UTC 2015


Hi Andrew,

Thanks for your reply.

I am familiar with the command but had forgotten that if ALPN is not
supported by the OpenSSL client you also can't test it.

This sounds strange but I thought my original command was not right.
Because the program always arrived with all options.

The OpenSSL client 1.0.1 program returns no error, no reports that it is
not supported. If you test ALPN with version 1.0.1.

At least I thought that this was supported by Red Hat.

But ALPN is not supported by Red Hat's EL7 OpenSSL implementation. That's
the answer to my question.

So recompiled the Nginx SRPM with the latest OpenSSL and its working now.

Andrew, Nginx is now compiled with version 1.0.2. and the server is still
running 1.0.1. This can't cause problems?

Thanks again Andrew,

Regards,

Rik Ske

> Hi,
>
> If you compiled with OpenSSL 1.0.2d then it should have ALPN, otherwise
> it will fallback to NPN. One way to test is with OpenSSL 1.0.2d:
>
> (echo | openssl s_client -alpn h2 -connect example.net:443) | grep ALPN
>
> This will respond with something like the following if it is supported:
>
> ALPN protocol: h2
>
> The warning you have flagged is only if OpenSSL doesn't support either
> NPN or ALPN. This means HTTP/2 and SPDY support isn't possible at all
> (ie. OpenSSL < 1.0.1 or a custom build with NPN/ALPN disabled).
>
> Kind Regards
> Andrew
>
> On 28/09/15 19:13, rikske at deds.nl wrote:
>> Hi,
>>
>> I don't know.
>> Can't find anything about Nginx, OpenSSL ALPN and/or NPN in the logs.
>>
>> HTTP/2 seems to be running fine here according to my testing tools.
>> But there is nothing about ALPN or NPN.
>>
>> The only thing i can find in there code is that the Nginx should warn
>> the
>> user in case, the enduser doesn't provide a valid OpenSSL.
>> I can not reproduce that warning.
>>
>> So my question is still applicable.
>>
>> Is the Nginx HTTP/2 module using (ALPN) TLS on RHEL 7.*?
>>
>> Perhaps a Nginx developer can take a look at it?
>>
>> Thanks,
>>
>> +    if (lsopt->http2 && lsopt->ssl) {
>>          ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
>> -                           "nginx was built without OpenSSL ALPN or NPN
>> "
>> -                           "support, SPDY is not enabled for %s",
>> lsopt->addr);
>> +                           "nginx was built with OpenSSL that lacks
>> ALPN "
>> +                           "and NPN support, HTTP/2 is not enabled for
>> %s",
>> +                           lsopt->addr);
>>      }
>>
>>
>>> Like this?
>>>
>>> nginx version: nginx/1.9.5
>>> built by gcc 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC)
>>> built with OpenSSL 1.0.2d-fips 9 Jul 2015
>>> TLS SNI support enabled
>>> configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
>>> --conf-path=/etc/nginx/nginx.conf
>>> --error-log-path=/var/log/nginx/error.log
>>> --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid
>>> --lock-path=/var/run/nginx.lock
>>> --http-client-body-temp-path=/var/cache/nginx/client_temp
>>> --http-proxy-temp-path=/var/cache/nginx/proxy_temp
>>> --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
>>> --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
>>> --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx
>>> --group=nginx --with-http_ssl_module --with-http_realip_module
>>> --with-http_addition_module --with-http_sub_module
>>> --with-http_dav_module --with-http_flv_module --with-http_mp4_module
>>> --with-http_gunzip_module --with-http_v2_module
>>> --with-http_image_filter_module --with-http_gzip_static_module
>>> --with-http_random_index_module --with-http_secure_link_module
>>> --with-http_stub_status_module --with-mail --with-mail_ssl_module
>>> --with-file-aio --with-ipv6 --with-cc-opt='-O2 -g -pipe -Wall
>>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
>>> --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic'
>>>
>>> Then how to test if I am already using APLN ? :)
>>>
>>> On 09/28/2015 10:15 PM, rikske at deds.nl wrote:
>>>> Hi,
>>>>
>>>> So what you're saying.
>>>>
>>>> Nginx HTTP/2 module won't work on RHEL 7.1 with (ALPN) TLS,
>>>> until you are using OpenSSL version 1.0.2 on RHEL 7.1 in any manner
>>>> whatsoever?
>>>>
>>>> Can anyone confirm this?
>>>>
>>>> Thanks,
>>>>
>>>> Regards,
>>>>
>>>> Rik Ske
>>>>
>>>>> Hello!
>>>>>
>>>>> On 09/28/2015 08:40 PM, rikske at deds.nl wrote:
>>>>>> Dear,
>>>>>>
>>>>>> Does the Nginx HTTP/2 module work on RHEL 7.1 with (ALPN) TLS?
>>>>>>
>>>>>> It seems like the HTTP/2 module is enabled by default in your RHEL
>>>>>> 7.1
>>>>>> based rpm and srpm.
>>>>>>
>>>>>> Your Nginx website writes about:
>>>>>>
>>>>>> "Note that accepting HTTP/2 connections over TLS requires the
>>>>>> “Application-Layer Protocol Negotiation” (ALPN) TLS extension
>>>>>> support,
>>>>>> which is available only since OpenSSL version 1.0.2. Using the “Next
>>>>>> Protocol Negotiation” (NPN) TLS extension for this purpose
>>>>>> (available since OpenSSL version 1.0.1) is not guaranteed. "
>>>>>>
>>>>>> RHEL 7.1 is using OpenSSL 1.0.1e. with a whole bunch of patches and
>>>>>> backports.
>>>>>>
>>>>>> Can't find anything in the changelog of RHEL 7.1's OpenSSL about
>>>>>> ALPN.
>>>>>> The only thing i can find is "Support for Application Layer Protocol
>>>>>> Negotiation (ALPN) has been added." in RHEL's GnuTLS.
>>>>>
>>>>> Yes, RHEL using openssl 1.0.1e-42. But, I've compiled using openssl
>>>>> 1.0.2d + crypto-policies under centos7. And it was success deployed
>>>>> on
>>>>> my sandbox
>>>>>
>>>>> The rpm was compiled on fedora22, and ported to el7 using mock.
>>>>>
>>>>> https://gitlab.com/antituhan/rpms/tree/master.
>>>>> $ openssl version
>>>>> OpenSSL 1.0.2d-fips 9 Jul 2015
>>>>> $ uname -a
>>>>> Linux <removed> 3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Sep 15 15:05:51
>>>>> UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>>>>>
>>>>> Enjoy.
>>>>>
>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Rik Ske
>>>>>>
>>>>>> _______________________________________________
>>>>>> nginx mailing list
>>>>>> nginx at nginx.org
>>>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> nginx mailing list
>>>>> nginx at nginx.org
>>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>>
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx at nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
> --
> Andrew Hutchings (LinuxJedi)
> Senior Developer Advocate, Nginx Inc.
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx



More information about the nginx mailing list