Nginx LibreSSL and BoringSSL alternative to OpenSSL?

musicdenotation · June 2, 2015, 6:03am

Currently on CentOS 6/7, I source compile my Nginx 1.9.x versions with
static OpenSSL 1.02a patched for chacha20_poly1305 but thinking about
switching to LibreSSL or BoringSSL (for equal preference group cipher
support).

The question I have is anyone else using Nginx with LibreSSL or
BoringSSL on
CentOS/Redhat ? Any issues that needed working around or any features
lost ?
e.g. BoringSSL and OSCP stapling support etc ?

Recommended steps for compilation with Nginx ?

thanks

George

Posted at Nginx Forum:

George · June 2, 2015, 7:27am

Hi,

nginx + libressl works without any issues; we have it running since
last summer and have seen no problems so far, but did not tested
it with 1.8.x though

the following explians how to do it:
https://8ack.de/guides/nginx-libressl-first-test

cheers,

mex

Posted at Nginx Forum:

George · June 2, 2015, 8:44am

thanks seems with LibreSSL 2.1.6 no longer need the steps for creating
.openssl/lib and copying files to that directory and symlink to make it
work

seems it works on Nginx 1.9.1 with LibreSSL 2.1.6 sweet !

nginx -V
nginx version: nginx/1.9.1
built by gcc 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC)
built with LibreSSL 2.1.6
TLS SNI support enabled
configure arguments: --with-ld-opt=‘-lrt -ljemalloc -Wl,-z,relro
-Wl,-rpath,/usr/local/lib’ --with-cc-opt=‘-m64 -mtune=native -g -O2
-fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2’ --sbin-path=/usr/local/sbin/nginx
–conf-path=/usr/local/nginx/conf/nginx.conf --with-http_ssl_module
–with-http_gzip_static_module --with-http_stub_status_module
–with-http_sub_module --with-http_addition_module
–with-http_image_filter_module --with-http_secure_link_module
–with-http_flv_module --with-http_realip_module
–with-http_geoip_module
–with-openssl-opt=enable-tlsext
–add-module=…/ngx-fancyindex-ngx-fancyindex
–add-module=…/ngx_cache_purge-2.3
–add-module=…/headers-more-nginx-module-0.25
–add-module=…/nginx-accesskey-2.0.3
–add-module=…/nginx-http-concat-master --with-http_dav_module
–add-module=…/nginx-dav-ext-module-0.0.3
–add-module=…/openresty-memc-nginx-module-1518da4
–add-module=…/openresty-srcache-nginx-module-ffa9ab7
–add-module=…/ngx_devel_kit-0.2.19
–add-module=…/set-misc-nginx-module-0.28
–add-module=…/echo-nginx-module-0.57
–add-module=…/lua-nginx-module-0.9.16rc1
–add-module=…/lua-upstream-nginx-module-0.02
–add-module=…/lua-upstream-cache-nginx-module-0.1.1
–add-module=…/nginx_upstream_check_module-0.3.0
–add-module=…/nginx-module-vts --with-openssl=…/portable-2.1.6
–with-libatomic --with-threads --with-stream --with-stream_ssl_module
–with-pcre=…/pcre-8.37 --with-pcre-jit --with-http_spdy_module
–add-module=…/ngx_pagespeed-release-1.9.32.3-beta

Posted at Nginx Forum:

George · June 2, 2015, 10:00am

Tested fine with ECC 256 bit and RSA 2048 bit SSL and chacha20_poly1305
https://community.centminmod.com/threads/nginx-and-libressl-alternative-to-openssl.3146/

Posted at Nginx Forum:

George · June 4, 2015, 9:09am

thank you for your comment; i’ll re-test with 1.8 and adjust the
document
accordingly.

i think the config-workaround is obsolete too.

cheers,

mex

Posted at Nginx Forum: