Nginx + LibreSSL - a first test

https://www.mare-system.de/blog/page/1405201517/

Summary

It works.

While it is not recommended to substitude OpenSSL with LibreSSL in this
early stage, i wanted to test if it is possible. And it is. There are no
functional or performance-issues, as far as i can test, and building
nginx +
libressl is easy, once you figured out how to do it. The advantages of
using
LibreSSL in the long run, from my point of view:

  • cleaner code
  • less bugs
  • more people involved

p.s.: please forgive those typos and bad english; i wanted to get this
out
bevore the final final
today, QA has to wait :smiley:

regards,

mex

Posted at Nginx Forum:

Hello!

On Sun, Jul 13, 2014 at 09:22:39AM -0400, mex wrote:

https://www.mare-system.de/blog/page/1405201517/

Just a quick comment: OpenSSL’s libs under “.openssl/” isn’t a
result of OpenSSL’s behaviour, but rather a result of “make
install” nginx calls (and the “.openssl” install prefix it
instructs OpenSSL to use).

  • cleaner code
  • less bugs
  • more people involved

Cool.

I personally think that LibreSSL has at least one major advantage:
coding style looks much better/readable. :slight_smile:

p.s.: please forgive those typos and bad english; i wanted to get this out
bevore the final final
today, QA has to wait :smiley:

Good luck! :slight_smile:


Maxim D.
http://nginx.org/

Just a quick comment: OpenSSL’s libs under “.openssl/” isn’t a
result of OpenSSL’s behaviour, but rather a result of “make
install” nginx calls (and the “.openssl” install prefix it
instructs OpenSSL to use).

maybe we can have a --with-libressl=/path/to/libressl
or something more generic soon? i think
libressl/boringssl are here to stay

libressl is easy, once you figured out how to do it. The advantages
of using
LibreSSL in the long run, from my point of view:

  • cleaner code

Good luck! :slight_smile:

mission accomplished, hehe :slight_smile:

regards,

mex

Posted at Nginx Forum:

Hello!

On Mon, Jul 14, 2014 at 08:30:00AM -0400, mex wrote:

Just a quick comment: OpenSSL’s libs under “.openssl/” isn’t a
result of OpenSSL’s behaviour, but rather a result of “make
install” nginx calls (and the “.openssl” install prefix it
instructs OpenSSL to use).

maybe we can have a --with-libressl=/path/to/libressl
or something more generic soon? i think
libressl/boringssl are here to stay

May be, but it’s not something required - it’s just an interface
to simplify builds. And in any case we should give them some time
to stabilize.

[…]

Good luck! :slight_smile:

mission accomplished, hehe :slight_smile:

Congratulations! :slight_smile:


Maxim D.
http://nginx.org/

Hey,

Summary

It works.

…only with versions older than nginx-1.7.0, you need a small patch
(attached) in order to compile nginx-mainline against LibreSSL,
because LibreSSL developers decided that LibreSSL is OpenSSL-2.0.0…
I didn’t send this patch to nginx-devel@ yet, because I’m still trying
to convince them that LibreSSL should present itself as OpenSSL-1.0.1,
in which case no changes to nginx would be necessary.

Best regards,
Piotr S.

updated: static version and new perftests included

https://www.mare-system.de/blog/page/1405201517/

regards,

mex

Posted at Nginx Forum:

Piotr S. Wrote:

to convince them that LibreSSL should present itself as OpenSSL-1.0.1,
in which case no changes to nginx would be necessary.

not just nginx., but maybe other software too that got used to that
versioning-scheme.

just checked opensslv.h, and it is different in 2.0.1 from 2.0.0:

#define LIBRESSL_VERSION_NUMBER 0x20000000L
#define OPENSSL_VERSION_NUMBER 0x20000000L

i dont know what happens when changing
#define OPENSSL_VERSION_NUMBER 0x10002002L

the openssl-binary compiles find, but i cannot check with nginx-mainline
right now, maybe later

thanks for the patch!

regards,

mex

regards, mex

Posted at Nginx Forum:

Hello!

On Tue, Jul 15, 2014 at 02:17:02AM -0700, Piotr S. wrote:

to convince them that LibreSSL should present itself as OpenSSL-1.0.1,
in which case no changes to nginx would be necessary.

BTW, this is what was done in FreeBSD port of LibreSSL:

http://svnweb.freebsd.org/ports/head/security/libressl/files/patch-include-openssl-opensslv.h?view=log

It looks like a proper way to go.


Maxim D.
http://nginx.org/

Hey,

just Checked opensslv.h, and to the different in 2.0.1 from 2.0.0:

Define LIBRESSL_VERSION_NUMBER 0x20000000L

Define OPENSSL_VERSION_NUMBER 0x20000000L

They’ve added this as a way to differentiate between OpenSSL and
LibreSSL.

i dont know whens Changing What Happens

Define OPENSSL_VERSION_NUMBER 0x10002002L

It should be the version they forked from (i.e. 0x1000107fL).

Multiple people have complained about the OPENSSL_VERSION_NUMBER
change, so hopefully they’ll change it back… If not, then we can
always apply the patch I provided.

Best regards,
Piotr S.