On behalf of my employer, Apcera Inc, we are delighted to make available a new Nginx module, providing for a start-up OpenSSL version check for those who wish for a little more belt&braces protection. https://github.com/apcera/nginx-openssl-version The README.md file explains the rationale. The simplest configuration is to make no configuration change, so that you just get a log message to the error log at notice level, at start-up, stating which version of OpenSSL the code was built against and which was found at runtime. The most complicated configuration is to add one line to your configuration in the global section: openssl_version_minimum 1.0.1g; With this, if the runtime library loaded in is not at least of this level, then there is a fatal configuration error and nginx will refuse to start. Dedicated to all those who have ever had to debug interactions between setcap for net-bind privilege marked on a binary, the runtime linker, concepts of what is or is not setuid and what is or is not safe in such a situation and finding that not even the runtime linker will tell you honestly which version of the library will _actually_ be used, only lsof(8) will, by showing which file was _actually_ mmap'd into your address space. Like many others, my Monday night was _fun_. Regards, and may you sleep more soundly, -Phil Pennock, Apcera Inc.
on 2014-04-09 04:12