We have installed Nginx on CentOS 6. This is a new install using Nginx
1.4.1
and OpenSSL 1.0.1e
We then confgured our vhosts to use SPDY, however using a few different
tests, it’s showing that SPDY is not enabled?
There are no messages in the logs and it restarts fine?
Missing NPN Extension in SSL/TLS Handshake
Sorry, but this server is not including an NPN Entension during the
SSL/TLS
handshake. The NPN Extension is an additional part of the SSL/TLS
ServerHello message which allows web servers to tell browsers they
support
additional protocols, like SPDY. SSL/TLS servers that don’t use send the
NPN
Extension cannot use SPDY because they have no way to tell the browser
to
use SPDY instead of HTTP.
Next Protocol Negotiation No
Please see config below:
[root@lb-3 ~]# nginx -V
nginx version: nginx/1.4.1
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC)
TLS SNI support enabled
configure arguments: --user=nginx --group=nginx
–prefix=/usr/share/nginx
–sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf
–error-log-path=/var/log/nginx/error.log
–http-log-path=/var/log/nginx/access.log
–http-client-body-temp-path=/var/lib/nginx/tmp/client_body
–http-proxy-temp-path=/var/lib/nginx/tmp/proxy
–http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi
–http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi
–http-scgi-temp-path=/var/lib/nginx/tmp/scgi
–pid-path=/var/run/nginx.pid
–lock-path=/var/lock/subsys/nginx --with-http_ssl_module
–with-http_realip_module --with-http_addition_module
–with-http_xslt_module --with-http_image_filter_module
–with-http_geoip_module --with-http_sub_module --with-http_dav_module
–with-http_flv_module --with-http_gzip_static_module
–with-http_random_index_module --with-http_secure_link_module
–with-http_degradation_module --with-http_stub_status_module
–with-http_perl_module --with-http_mp4_module --with-http_spdy_module
–with-http_gunzip_module --with-mail --with-file-aio
–with-mail_ssl_module
–with-ipv6 --with-cc-opt=‘-O2 -g’ --with-cc-opt=‘-O2 -g’
[root@lb-3 ~]# openssl version
OpenSSL 1.0.1e 11 Feb 2013
[root@lb-3 ~]# which openssl
/usr/bin/openssl
server {
listen 443 ssl spdy;
spdy_headers_comp 5;
ssl_certificate /etc/nginx/certs/xxx;
ssl_certificate_key /etc/nginx/certs/xxx;
server_name www.xxx.com ;
…snip…
}
Posted at Nginx Forum:
We have installed Nginx on CentOS 6. This is a new install using Nginx 1.4.1 and OpenSSL 1.0.1e We then confgured our vhosts to use SPDY, however using a few different tests, it's showing that SPDY is not enabled? There are no messages in the logs...
Hi!
Missing NPN Extension in SSL/TLS Handshake
Did you compile openssl on your own?
Can you post the output of “openssl version -a”?
Sounds to me as if OpenSSL was build without TLS extensions.
Thanks,
Lukas
It was installed via yum -(IUS)
I installed both OpenSSL10 and openssl10-libs.x86_64 : A general purpose
cryptography library with TLS implementation
[root@lb-3 ~]# openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Wed Feb 13 11:31:32 EST 2013
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(8x,int) des(idx,cisc,16,int) idea(int)
blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2
-g
-pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
–param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,–noexecstack -DPURIFY
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
-DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: “/etc/pki/tls”
engines: rsax dynamic
Posted at Nginx Forum:
We have installed Nginx on CentOS 6. This is a new install using Nginx 1.4.1 and OpenSSL 1.0.1e We then confgured our vhosts to use SPDY, however using a few different tests, it's showing that SPDY is not enabled? There are no messages in the logs...
Also, does this help?
[root@lb-3 ~]# nginx -V
nginx version: nginx/1.4.1
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC)
TLS SNI support enabled
See ‘TLS NSI support enabled’?
Posted at Nginx Forum:
We have installed Nginx on CentOS 6. This is a new install using Nginx 1.4.1 and OpenSSL 1.0.1e We then confgured our vhosts to use SPDY, however using a few different tests, it's showing that SPDY is not enabled? There are no messages in the logs...
On Friday 05 July 2013 18:35:04 benseb wrote:
options: bn(64,64) md2(int) rc4(8x,int) des(idx,cisc,16,int) idea(int)
blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g
-pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
–param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,–noexecstack -DPURIFY
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
-DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: “/etc/pki/tls”
engines: rsax dynamic
Have you actually built nginx with this version of library?
What’s in the error log?
wbr, Valentin V. Bartenev
–
http://nginx.org/en/donation.html
Can you run ldd against the nginx executable?
Lukas
Yes - if you tell me how?
Posted at Nginx Forum:
We have installed Nginx on CentOS 6. This is a new install using Nginx 1.4.1 and OpenSSL 1.0.1e We then confgured our vhosts to use SPDY, however using a few different tests, it's showing that SPDY is not enabled? There are no messages in the logs...
The compile command I used was:
–user=nginx --group=nginx --prefix=/usr/share/nginx
–sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf
–error-log-path=/var/log/nginx/error.log
–http-log-path=/var/log/nginx/access.log
–http-client-body-temp-path=/var/lib/nginx/tmp/client_body
–http-proxy-temp-path=/var/lib/nginx/tmp/proxy
–http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi
–http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi
–http-scgi-temp-path=/var/lib/nginx/tmp/scgi
–pid-path=/var/run/nginx.pid
–lock-path=/var/lock/subsys/nginx --with-http_ssl_module
–with-http_realip_module --with-http_addition_module
–with-http_xslt_module --with-http_image_filter_module
–with-http_geoip_module --with-http_sub_module --with-http_dav_module
–with-http_flv_module --with-http_gzip_static_module
–with-http_random_index_module --with-http_secure_link_module
–with-http_degradation_module --with-http_stub_status_module
–with-http_perl_module --with-http_mp4_module --with-http_spdy_module
–with-http_gunzip_module --with-mail --with-file-aio
–with-mail_ssl_module
–with-ipv6 --with-cc-opt=‘-O2 -g’ --with-cc-opt=‘-O2 -g’
As far as I know, this is the only version of openssl installed, unless
I’m
missing something?
[ben@lb-3 ~]$ which openssl
/usr/bin/openssl
[ben@lb-3 ~]$ /usr/bin/openssl version
OpenSSL 1.0.1e 11 Feb 2013
Posted at Nginx Forum:
We have installed Nginx on CentOS 6. This is a new install using Nginx 1.4.1 and OpenSSL 1.0.1e We then confgured our vhosts to use SPDY, however using a few different tests, it's showing that SPDY is not enabled? There are no messages in the logs...
On Friday 05 July 2013 19:05:58 benseb wrote:
–http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/var/run/nginx.pid
–with-cc-opt=’-O2 -g’
As far as I know, this is the only version of openssl installed, unless I’m
missing something?
[ben@lb-3 ~]$ which openssl
/usr/bin/openssl
[ben@lb-3 ~]$ /usr/bin/openssl version
OpenSSL 1.0.1e 11 Feb 2013
It’s binary, but what about header files? You can have compiled
binaries from
one version of library while header files of another.
What about nginx, are you sure that your scripts run the same version,
and use
the same config file?
There are a lot of ways to shoot yourself in the foot when you install
something
from source on a system that relies on packages.
And again, is there something in nginx error log?
wbr, Valentin V. Bartenev
benseb
July 5, 2013, 5:38pm
10
[ben@lb-3 ~]$ ldd /usr/sbin/nginx
linux-vdso.so.1 => (0x00007fffbe7ff000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fe08af81000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fe08ad49000)
libpcre.so.0 => /lib64/libpcre.so.0 (0x00007fe08ab1d000)
libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007fe08a8b8000)
libcrypto.so.10 => /usr/lib64/libcrypto.so.10
(0x00007fe08a50b000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fe08a307000)
libz.so.1 => /lib64/libz.so.1 (0x00007fe08a0f1000)
libxml2.so.2 => /usr/lib64/libxml2.so.2 (0x00007fe089d9e000)
libxslt.so.1 => /usr/lib64/libxslt.so.1 (0x00007fe089b61000)
libexslt.so.0 => /usr/lib64/libexslt.so.0 (0x00007fe08994d000)
libgd.so.2 => /usr/lib64/libgd.so.2 (0x00007fe089705000)
libGeoIP.so.1 => /usr/lib64/libGeoIP.so.1 (0x00007fe0894cd000)
libperl.so => /usr/lib64/perl5/CORE/libperl.so
(0x00007fe089162000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fe088f47000)
libnsl.so.1 => /lib64/libnsl.so.1 (0x00007fe088d2e000)
libm.so.6 => /lib64/libm.so.6 (0x00007fe088aaa000)
libutil.so.1 => /lib64/libutil.so.1 (0x00007fe0888a6000)
libc.so.6 => /lib64/libc.so.6 (0x00007fe088513000)
/lib64/ld-linux-x86-64.so.2 (0x00007fe08b1a4000)
libfreebl3.so => /lib64/libfreebl3.so (0x00007fe0882b1000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2
(0x00007fe08806c000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007fe087d86000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fe087b82000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007fe087955000)
libgcrypt.so.11 => /lib64/libgcrypt.so.11 (0x00007fe0876e0000)
libgpg-error.so.0 => /lib64/libgpg-error.so.0
(0x00007fe0874db000)
libXpm.so.4 => /usr/lib64/libXpm.so.4 (0x00007fe0872ca000)
libX11.so.6 => /usr/lib64/libX11.so.6 (0x00007fe086f8d000)
libjpeg.so.62 => /usr/lib64/libjpeg.so.62 (0x00007fe086d3c000)
libfontconfig.so.1 => /usr/lib64/libfontconfig.so.1
(0x00007fe086b06000)
libfreetype.so.6 => /usr/lib64/libfreetype.so.6
(0x00007fe086869000)
libpng12.so.0 => /usr/lib64/libpng12.so.0 (0x00007fe086642000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0
(0x00007fe086437000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fe086233000)
libxcb.so.1 => /usr/lib64/libxcb.so.1 (0x00007fe086015000)
libexpat.so.1 => /lib64/libexpat.so.1 (0x00007fe085dec000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fe085bcd000)
libXau.so.6 => /usr/lib64/libXau.so.6 (0x00007fe0859ca000)
[ben@lb-3 ~]$
Posted at Nginx Forum:
We have installed Nginx on CentOS 6. This is a new install using Nginx 1.4.1 and OpenSSL 1.0.1e We then confgured our vhosts to use SPDY, however using a few different tests, it's showing that SPDY is not enabled? There are no messages in the logs...
benseb
July 5, 2013, 5:59pm
11
I did a replace on OpenSSL using YUM which should have removed all of
the
existing 0.98 version I presume. Nginx was a clean install (from source)
so
shouldnt have clashed with anything?
I’m not sure where to go from here, nothing in the error logs.
Previously
when I tried to run spdy/nginx and the wrong version was installed, it
showed this in the error logs, but this no longer happens on this new
install (and new server) so it seems to be loading ok
Does it matter that this is setup as a load balancer, with two upstream
servers behind (We use proxy in HTTPS mode) - I am under the assumption
that
SPDY can be installed on this front end without worrying about the
backend
servers as that’s a completely separate handshake, etc?
Posted at Nginx Forum:
We have installed Nginx on CentOS 6. This is a new install using Nginx 1.4.1 and OpenSSL 1.0.1e We then confgured our vhosts to use SPDY, however using a few different tests, it's showing that SPDY is not enabled? There are no messages in the logs...