On behalf of my employer, Apcera Inc, we are delighted to make available
a new Nginx module, providing for a start-up OpenSSL version check for
those who wish for a little more belt&braces protection.
The README.md file explains the rationale. The simplest configuration
is to make no configuration change, so that you just get a log message
to the error log at notice level, at start-up, stating which version of
OpenSSL the code was built against and which was found at runtime.
The most complicated configuration is to add one line to your
configuration in the global section:
With this, if the runtime library loaded in is not at least of this
level, then there is a fatal configuration error and nginx will refuse
Dedicated to all those who have ever had to debug interactions between
setcap for net-bind privilege marked on a binary, the runtime linker,
concepts of what is or is not setuid and what is or is not safe in such
a situation and finding that not even the runtime linker will tell you
honestly which version of the library will actually be used, only
lsof(8) will, by showing which file was actually mmap’d into your
address space. Like many others, my Monday night was fun.
Regards, and may you sleep more soundly,
-Phil P., Apcera Inc.