Nginx LibreSSL and BoringSSL alternative to OpenSSL?

Currently on CentOS 6/7, I source compile my Nginx 1.9.x versions with
static OpenSSL 1.02a patched for chacha20_poly1305 but thinking about
switching to LibreSSL or BoringSSL (for equal preference group cipher

The question I have is anyone else using Nginx with LibreSSL or
BoringSSL on
CentOS/Redhat ? Any issues that needed working around or any features
lost ?
e.g. BoringSSL and OSCP stapling support etc ?

Recommended steps for compilation with Nginx ?



Posted at Nginx Forum:,259325,259325#msg-259325


nginx + libressl works without any issues; we have it running since
last summer and have seen no problems so far, but did not tested
it with 1.8.x though

the following explians how to do it:



Posted at Nginx Forum:,259325,259327#msg-259327

thanks seems with LibreSSL 2.1.6 no longer need the steps for creating
.openssl/lib and copying files to that directory and symlink to make it

seems it works on Nginx 1.9.1 with LibreSSL 2.1.6 sweet !

nginx -V
nginx version: nginx/1.9.1
built by gcc 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC)
built with LibreSSL 2.1.6
TLS SNI support enabled
configure arguments: --with-ld-opt=’-lrt -ljemalloc -Wl,-z,relro
-Wl,-rpath,/usr/local/lib’ --with-cc-opt=’-m64 -mtune=native -g -O2
-fstack-protector --param=ssp-buffer-size=4 -Wformat
-Wp,-D_FORTIFY_SOURCE=2’ --sbin-path=/usr/local/sbin/nginx
–conf-path=/usr/local/nginx/conf/nginx.conf --with-http_ssl_module
–with-http_gzip_static_module --with-http_stub_status_module
–with-http_sub_module --with-http_addition_module
–with-http_image_filter_module --with-http_secure_link_module
–with-http_flv_module --with-http_realip_module
–add-module=…/nginx-http-concat-master --with-http_dav_module
–add-module=…/nginx-module-vts --with-openssl=…/portable-2.1.6
–with-libatomic --with-threads --with-stream --with-stream_ssl_module
–with-pcre=…/pcre-8.37 --with-pcre-jit --with-http_spdy_module

Posted at Nginx Forum:,259325,259331#msg-259331

Tested fine with ECC 256 bit and RSA 2048 bit SSL and chacha20_poly1305

Posted at Nginx Forum:,259325,259333#msg-259333

thank you for your comment; i’ll re-test with 1.8 and adjust the

i think the config-workaround is obsolete too.



Posted at Nginx Forum:,259325,259372#msg-259372