Nginx with OpenSSL 1.1.1n

[Lukas Tribus]

On Sun, 27 Mar 2022 at 15:58, Sergey A. Osokin <osa at freebsd.org.ru> wrote:
>
> Hi,
>
> On Sun, Mar 27, 2022 at 02:04:10AM -0400, sukeerthiadiga wrote:
> > The Mainline version of Nginx i.e 1.12.6 has the OpenSSL version 1.1.1m and
> > it is vulnerable.
>
> That's a bit far from true.  NGINX, as many other products, depends on other
> open source software components, like openssl, pcre, zlib.  Library of those
> components are supported by an operating system vendor.  I'd recommend
> to contact to the vendor of a corresponding OS to get an update of a
> component.

Actually, nginx.org provides windows binaries with openssl statically
compiled in:

http://nginx.org/download/nginx-1.21.6.zip

C:\nginx-1.21.6>nginx -V
nginx version: nginx/1.21.6
built by cl 16.00.40219.01 for 80x86
built with OpenSSL 1.1.1m  14 Dec 2021
TLS SNI support enabled
configure arguments: --with-cc=cl --builddir=objs.msvc8 --with-debug
--prefix= --conf-path=conf/nginx.conf --pid-path=logs/nginx.pid
--http-log-path=logs/access.log --error-log-path=logs/error.log
--sbin-path=nginx.exe
--http-client-body-temp-path=temp/client_body_temp
--http-proxy-temp-path=temp/proxy_temp
--http-fastcgi-temp-path=temp/fastcgi_temp
--http-scgi-temp-path=temp/scgi_temp
--http-uwsgi-temp-path=temp/uwsgi_temp --with-cc-opt=-DFD_SETSIZE=1024
--with-pcre=objs.msvc8/lib/pcre2-10.39
--with-zlib=objs.msvc8/lib/zlib-1.2.11 --with-http_v2_module
--with-http_realip_module --with-http_addition_module
--with-http_sub_module --with-http_dav_module
--with-http_stub_status_module --with-http_flv_module
--with-http_mp4_module --with-http_gunzip_module
--with-http_gzip_static_module --with-http_auth_request_module
--with-http_random_index_module --with-http_secure_link_module
--with-http_slice_module --with-mail --with-stream
--with-openssl=objs.msvc8/lib/openssl-1.1.1m
--with-openssl-opt='no-asm no-tests -D_WIN32_WINNT=0x0501'
--with-http_ssl_module --with-mail_ssl_module --with-stream_ssl_module

C:\nginx-1.21.6>


Lukas