Building mesalink as drop-in replacement for nginx

[kevinburke1]

Hi, I'm trying to compile nginx using mesalink as the replacement for OpenSSL.

I've compiled mesalink using the following:

mkdir out
./autogen.sh --prefix=$(pwd)/out
make && make install

Then compile nginx (sources available at github.com/nginx/nginx) with the following options:

./auto/configure --with-http_ssl_module \
    --with-cc-opt="-I/path/to/mesalock-linux/mesalink/out/include/mesalink -I/path/to/mesalock-linux/mesalink/out/include" \
    --with-ld-opt="-L/path/to/mesalock-linux/mesalink/out/lib"

I get the following error:

./auto/configure: error: SSL modules require the OpenSSL library.
You can either do not enable the modules, or install the OpenSSL library
into the system, or build the OpenSSL library statically from the source
with nginx by using --with-openssl=<path> option.

If you read through objs/autoconf.err you get:

checking for OpenSSL library in /usr/local/

objs/autotest.c:7:5: error: implicit declaration of function 'SSL_CTX_set_options' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
    SSL_CTX_set_options(NULL, 0);
    ^
1 error generated.
----------

#include <sys/types.h>
#include <unistd.h>
#include <openssl/ssl.h>

int main(void) {
    SSL_CTX_set_options(NULL, 0);
    return 0;
}

----------
cc -pipe -I/path/to/mesalock-linux/mesalink/out/include/mesalink -I/path/to/mesalock-linux/mesalink/out/include -D__APPLE_USE_RFC_3542 -I /usr/local/include -o objs/autotest objs/autotest.c -L/path/to/mesalock-linux/mesalink/out/lib -L/usr/local/lib -lssl -lcrypto

I searched for SSL_CTX_set_options in mesalink source code and issues, but I couldn't find anything. Any idea how to get past this? Do I need to define a shim .h file or something?

Updates #12.

[kevinburke1]

If I'm understanding this right we'd need to implement SSL_CTX_set_options and define/implement all of the bit fields that can be set, or make them no-ops if not supported. Here are all of the uses in nginx.

src/mail/ngx_mail_ssl_module.c:468:        SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);
src/stream/ngx_stream_ssl_module.c:819:        SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);
src/http/modules/ngx_http_ssl_module.c:914:        SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);
src/event/ngx_event_openssl.c:285:    SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
src/event/ngx_event_openssl.c:289:    SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG);
src/event/ngx_event_openssl.c:295:    SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
src/event/ngx_event_openssl.c:299:    SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
src/event/ngx_event_openssl.c:304:    SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);
src/event/ngx_event_openssl.c:308:    SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
src/event/ngx_event_openssl.c:312:    SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG);
src/event/ngx_event_openssl.c:316:    SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG);
src/event/ngx_event_openssl.c:320:    SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
src/event/ngx_event_openssl.c:323:    SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
src/event/ngx_event_openssl.c:332:        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
src/event/ngx_event_openssl.c:335:        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
src/event/ngx_event_openssl.c:338:        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
src/event/ngx_event_openssl.c:343:        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
src/event/ngx_event_openssl.c:349:        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
src/event/ngx_event_openssl.c:355:        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
src/event/ngx_event_openssl.c:370:    SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
src/event/ngx_event_openssl.c:374:    SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_ANTI_REPLAY);
src/event/ngx_event_openssl.c:378:    SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
src/event/ngx_event_openssl.c:859:        SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
src/event/ngx_event_openssl.c:1388:    SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE);
src/event/ngx_event_openssl.c:1432:    SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE);

[ymjing]

Exactly! SSL_CTX_set_options() and a few X509 related APIs are needed. But some options may not be supported given the current rustls APIs.

…

On Tue, Feb 9, 2021 at 10:04 PM Kevin Burke ***@***.***> wrote: If I'm understanding this right we'd need to implement SSL_CTX_set_options and define/implement all of the bit fields that can be set, or make them no-ops if not supported. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#51 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALATXCYNJDEHKAS2OTYJQLS6IOV5ANCNFSM4XMJSHWA> .