Issues building Nginx using boringssl
Jeffrey Walton
noloader at gmail.com
Tue Feb 20 06:02:20 UTC 2024
On Tue, Feb 20, 2024 at 12:23 AM 杨金泽 <rttwyjz at gmail.com> wrote:
>
> I encountered the following error when using boringssl to build Nginx:
> checking for OpenSSL library ... not found
> checking for OpenSSL library in /usr/local/ ... not found
> checking for OpenSSL library in /usr/pkg/ ... not found
> checking for OpenSSL library in /opt/local/ ... not found
> ./auto/configure: error: SSL modules require the OpenSSL library.
> You can either do not enable the modules, or install the OpenSSL library
> into the system, or build the OpenSSL library statically from the source
> with nginx by using --with-openssl=<path> option.
>
> At first I thought it was caused by openssl not existing, but when I ran openssl version -a, everything was normal:
> root at iZ2hmeokcpbj42Z ~/nginx # openssl version -a
> OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)
> built on: Mon Oct 23 17:52:22 2023 UTC
> platform: debian-amd64
> options: bn(64,64)
> compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2 -Wa,--noexecstack -g -O2 -ffile-prefix-map= /build/reproducible-path/openssl-3.0.11=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
> OPENSSLDIR: "/usr/lib/ssl"
> ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-3"
> MODULESDIR: "/usr/lib/x86_64-linux-gnu/ossl-modules"
> Seeding source: os-specific
> CPUINFO: OPENSSL_ia32cap=0xfffa32035f8bffff:0xd01e4fbb
>
> Later my friend and I discovered that the latest boringssl compatible OpenSSL version seems to have been upgraded to 3.2.x, but I am not sure if this is the problem. The final solution was to switch to https://github.com/google/boringssl /commit/c39e6cd9ec5acebb6de2adffc03cfe03b07f08ab this commit.But I don't think switching to a previous commit to build is a perfect solution, so I'd like to ask for some help.
>
> My build steps are as follows:
> apt update
> apt install build-essential ca-certificates zlib1g-dev libpcre3 libpcre3-dev tar unzip libssl-dev wget curl git cmake ninja-build mercurial libunwind-dev pkg-config
>
> git clone https://github.com/google/boringssl.git
> cd boringssl
> mkdir build
> cd build
> cmake -GNinja ..
> ninja
> cd ../..
>
> git clone --recurse-submodules -j8 https://github.com/google/ngx_brotli
> cd ngx_brotli/deps/brotli
> mkdir out && cd out
> cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF -DCMAKE_C_FLAGS="-Ofast -m64 -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_CXX_FLAGS ="-Ofast -m64 -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_INSTALL_PREFIX=./installed ..
> cmake --build . --config Release --target brotlienc
> cd ../../../..
>
> hg clone https://hg.nginx.org/nginx
> cd nginx
> ./auto/configure --user=www --group=www --prefix=/www/server/nginx --with-pcre --add-module=/root/ngx_brotli --with-http_v2_module --with-stream --with-stream_ssl_module --with-http_ssl_module --with-http_gzip_static_module --with-http_gunzip_module --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-ld -opt=-Wl,-E --with-cc-opt=-Wno-error --with-ld-opt=-ljemalloc --with-http_dav_module --with-http_v3_module --with-cc-opt=-I ../boringssl/include --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto'
> make
> make install
>
> System information:
> checking for OS
> + Linux 6.1.0-18-amd64 x86_64
> checking for C compiler ... found
> + using GNU C compiler
> + gcc version: 12.2.0 (Debian 12.2.0-14)
This does not look correct to me, based on my knowledge of OpenSSL. (I
don't have experience with BoringSSL):
--with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto'
You are trying to link two OpenSSL-compatible libraries. They are
libcrypto.{a|so}, and libssl.{a|so}. Those artifacts are usually
placed in a lib/ directory, not in separate ssl/ and crypto/
directories. (Two separate directories may be a BoringSSL-ism).
So I believe the proper flag would be similar to:
--with-ld-opt='-L../boringssl/build/lib
You should also consider using the the following option so the library
used at runtime is the same library used at compile and link time:
-Wl,-rpath=../boringssl/build/lib -Wl,--enable-new-dtags
But you should change ../boringssl/build/lib to the full path, and not
use the relative path.
Also see <https://wiki.openssl.org/index.php/Compilation_and_Installation#Using_RPATHs>
or the BoringSSL equivalent document.
Jeff
More information about the nginx
mailing list