Nginx + boringSSL

addis_a · July 14, 2014, 3:59am

I’ve started playing around with boringssl with nginx.

Mostly everything works except OCSP. Seems like either openssl 1.0.2
which boringssl was forked from does not have it, or the boringssl
folk ripped it out. I have not investigated.

Anyway, I’m please to report everything seems to work!

–

first boringssl

git clone boringssl - Git at Google
cd boringssl

for when building on openbsd, also enables -O2, boringssl is a debug

build by default
cat boringssl_openbsd.patch | patch -p1 -N -s
mkdir build && cd build && cmake …/ && cd …

setup stuff for nginx

mkdir -p .openssl/lib
ln -s include .openssl/
cp build/crypto/libcrypto.a build/ssl/libssl.a .openssl/lib

now for nginx

tar xvzf nginx-1.6.0.tar.gz
cd nginx-1.6.0
cat …/boringssl_nginx.patch | patch -p1 -N -s
./configure --with-openssl=…/boringssl …

update timestamp so nginx won’t try to build openssl

touch …/boringssl/.openssl/include/ssl.h
make

redroot · July 14, 2014, 12:48pm

Thanks for sharing

So SPDY/3.1 SSL works ?

Posted at Nginx Forum:

redroot · July 14, 2014, 10:27pm

On Mon, Jul 14, 2014 at 4:47 AM, George [email protected] wrote:

Thanks for sharing

So SPDY/3.1 SSL works ?

Yep, and so do CHACHA20_POLY130

redroot · July 22, 2014, 5:25am

Looks interesting

Alex H. [email protected]于2014年7月14日星期一写道：

git clone boringssl - Git at Google

now for nginx

tar xvzf nginx-1.6.0.tar.gz
cd nginx-1.6.0
cat …/boringssl_nginx.patch | patch -p1 -N -s
./configure --with-openssl=…/boringssl …

update timestamp so nginx won’t try to build openssl

touch …/boringssl/.openssl/include/ssl.h
make

–

Best Regards,
Harold Miao

redroot · July 29, 2014, 12:38am

On Sun, Jul 13, 2014 at 7:58 PM, Alex H. [email protected]
wrote:

I’ve started playing around with boringssl with nginx.
…
Anyway, I’m please to report everything seems to work!

Please find attached v2.

Changes:

use <openssl/opensslfeatures.h> for feature detection, its designed
to more or less be comptaible with libressl, so I suspect this patch
might work with libressl as well
fix depecreated use of RSA_generate_key(), the old patch just ripped
out calling this function
report an error if you try to set ssl_engine if OPENSSL_NO_ENGINE or
OPENSSL_NO_DYNAMIC_ENGINE, instead of just silently ignoring the
directive.
include <openssl/rand.h> if OPENSSL_VERSION >= 1.0.2

redroot · July 29, 2014, 11:52am

Everything is ok , but when add ssl module , such as:

./configure --with-openssl=…/boringssl --prefix=/srv1/nginx
–with-http_ssl_module

the make process is error , what can I do next ?

Thanks .

Posted at Nginx Forum:

redroot · July 31, 2014, 5:52am

Alex H. wrote:

boringssl compiled correctly.

go here and check info for boringssl: and it works; ive got chacha20
going

https://calomel.org/nginx.html

redroot · July 30, 2014, 10:06pm

On Tue, Jul 29, 2014 at 3:52 AM, sopato [email protected] wrote:

Everything is ok , but when add ssl module , such as:

./configure --with-openssl=…/boringssl --prefix=/srv1/nginx
–with-http_ssl_module

the make process is error , what can I do next ?

Can you paste the error? Also note, I’ve only tried it on OpenBSD but
I don’t see anything that would break it on say Linux. Assuming
boringssl compiled correctly.