mesalink icon indicating copy to clipboard operation
mesalink copied to clipboard

Published 20 hours ago verified publisher icon mesalock-linux

Building mesalink as drop-in replacement for nginx

Open kevinburke1 opened this issue 4 years ago • 2 comments

Hi, I'm trying to compile nginx using mesalink as the replacement for OpenSSL.

I've compiled mesalink using the following:

mkdir out
./autogen.sh --prefix=$(pwd)/out
make && make install

Then compile nginx (sources available at github.com/nginx/nginx) with the following options:

./auto/configure --with-http_ssl_module \
    --with-cc-opt="-I/path/to/mesalock-linux/mesalink/out/include/mesalink -I/path/to/mesalock-linux/mesalink/out/include" \
    --with-ld-opt="-L/path/to/mesalock-linux/mesalink/out/lib"

I get the following error:

./auto/configure: error: SSL modules require the OpenSSL library.
You can either do not enable the modules, or install the OpenSSL library
into the system, or build the OpenSSL library statically from the source
with nginx by using --with-openssl=<path> option.

If you read through objs/autoconf.err you get:

checking for OpenSSL library in /usr/local/

objs/autotest.c:7:5: error: implicit declaration of function 'SSL_CTX_set_options' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
    SSL_CTX_set_options(NULL, 0);
    ^
1 error generated.
----------

#include <sys/types.h>
#include <unistd.h>
#include <openssl/ssl.h>

int main(void) {
    SSL_CTX_set_options(NULL, 0);
    return 0;
}

----------
cc -pipe -I/path/to/mesalock-linux/mesalink/out/include/mesalink -I/path/to/mesalock-linux/mesalink/out/include -D__APPLE_USE_RFC_3542 -I /usr/local/include -o objs/autotest objs/autotest.c -L/path/to/mesalock-linux/mesalink/out/lib -L/usr/local/lib -lssl -lcrypto

I searched for SSL_CTX_set_options in mesalink source code and issues, but I couldn't find anything. Any idea how to get past this? Do I need to define a shim .h file or something?

Updates #12.

kevinburke1 avatar Feb 10 '21 05:02 kevinburke1

If I'm understanding this right we'd need to implement SSL_CTX_set_options and define/implement all of the bit fields that can be set, or make them no-ops if not supported. Here are all of the uses in nginx.

src/mail/ngx_mail_ssl_module.c:468:        SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);
src/stream/ngx_stream_ssl_module.c:819:        SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);
src/http/modules/ngx_http_ssl_module.c:914:        SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);
src/event/ngx_event_openssl.c:285:    SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
src/event/ngx_event_openssl.c:289:    SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG);
src/event/ngx_event_openssl.c:295:    SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
src/event/ngx_event_openssl.c:299:    SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
src/event/ngx_event_openssl.c:304:    SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);
src/event/ngx_event_openssl.c:308:    SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
src/event/ngx_event_openssl.c:312:    SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG);
src/event/ngx_event_openssl.c:316:    SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG);
src/event/ngx_event_openssl.c:320:    SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
src/event/ngx_event_openssl.c:323:    SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
src/event/ngx_event_openssl.c:332:        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
src/event/ngx_event_openssl.c:335:        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
src/event/ngx_event_openssl.c:338:        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
src/event/ngx_event_openssl.c:343:        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
src/event/ngx_event_openssl.c:349:        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
src/event/ngx_event_openssl.c:355:        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
src/event/ngx_event_openssl.c:370:    SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
src/event/ngx_event_openssl.c:374:    SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_ANTI_REPLAY);
src/event/ngx_event_openssl.c:378:    SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
src/event/ngx_event_openssl.c:859:        SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
src/event/ngx_event_openssl.c:1388:    SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE);
src/event/ngx_event_openssl.c:1432:    SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE);

kevinburke1 avatar Feb 10 '21 06:02 kevinburke1

Exactly! SSL_CTX_set_options() and a few X509 related APIs are needed. But some options may not be supported given the current rustls APIs.

On Tue, Feb 9, 2021 at 10:04 PM Kevin Burke [email protected] wrote:

If I'm understanding this right we'd need to implement SSL_CTX_set_options and define/implement all of the bit fields that can be set, or make them no-ops if not supported.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/mesalock-linux/mesalink/issues/51#issuecomment-776467639, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALATXCYNJDEHKAS2OTYJQLS6IOV5ANCNFSM4XMJSHWA .

ymjing avatar Feb 12 '21 17:02 ymjing