Nginx + OpenSSL 1.0.2h = ALPN. Enable ALPN support on Ubuntu 14.04
So, briefly describe the essence of the problem: if you use HTTP / 2 based on Nginx and Ubuntu 14.x-, then from May 31, Chrome will stop working on HTTP / 2. But to solve the problem is quite simple.
To use the HTTP / 2 protocol, support is needed for switching from normal TLS to it. This support is implemented by the browser and server. Now these methods 2: NPN (Next Protocol Negotiation) and ALPN (Application-Layer Protocol Negotiation). The first is outdated and replaced by the second. But to use ALPN, OpenSSL needs a fairly recent version (1.0.2+), older ones only support NPN.
Now, back to our Ubuntu 14.x: OpenSSL version is now:
Updates to 1.0.2 do not have to wait, only when updating the distribution (for example, before 16.04).
But this is a version in the system, we are only interested in Nginx, this is what the fresh mainline package for Ubuntu says:
With the naked eye you can see the same version of OpenSSL 1.0.1f. So ALPN will not work with us.
At this time, the Google team has already announced the final cut-out date for NPN support from the Chromium code: May 31 . By the way, SPDY will also stop working.
')
In order not to lose support for HTTP / 2, you should now take care of support for ALPN. Of course, you can dramatically switch to Ubuntu 16.04, but I think that this does not suit everyone.
The recipe for the solution is fairly straightforward and clear: you need to build Nginx on the basis of fresh OpenSSL.
Getting down to business:
0. Install Nginx from the official repository . This gives us the installation of the server startup script and will be needed for further work. After installing the repository, you need to comment out, so that subsequent updates do not tear down our custom Nginx.
1. Downloading the Nginx and OpenSSL sources (the versions are listed at the time of this writing):
2. Unpack the archives.
3. Install packages for successful Nginx assembly:
4. Configure Nginx. To do this, copy the output part of the nginx -V command with the addition of the OpenSSL source folder (- with-openssl = / home / db / openssl-1.0.2h ). I got the following (I removed the GeoIP module):
If errors occur in the config process, most likely no dependencies are found. This is usually treated by installing packages of the form: libXYZ-dev .
5. We collect Nginx (in the source folder):
6. Then you can do just make install, but we will assemble the module. It will be more convenient and neat (you can update, delete, etc.) For this:
In the process of building the module, you will need to enter a description of the module, you can leave something like Nginx + OpenSSL 1.0.2. After that, the package should be installed. It can also be transferred between similar systems and installed as usual:
7. Check APLN support here or on the command line (version 1.0.2+ should be on the system)
That's all!
To use the HTTP / 2 protocol, support is needed for switching from normal TLS to it. This support is implemented by the browser and server. Now these methods 2: NPN (Next Protocol Negotiation) and ALPN (Application-Layer Protocol Negotiation). The first is outdated and replaced by the second. But to use ALPN, OpenSSL needs a fairly recent version (1.0.2+), older ones only support NPN.
Now, back to our Ubuntu 14.x: OpenSSL version is now:
# openssl version OpenSSL 1.0.1f 6 Jan 2014 Updates to 1.0.2 do not have to wait, only when updating the distribution (for example, before 16.04).
But this is a version in the system, we are only interested in Nginx, this is what the fresh mainline package for Ubuntu says:
# nginx -V nginx version: nginx/1.9.15 built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.1) built with OpenSSL 1.0.1f 6 Jan 2014 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=debian/extra/njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' With the naked eye you can see the same version of OpenSSL 1.0.1f. So ALPN will not work with us.
At this time, the Google team has already announced the final cut-out date for NPN support from the Chromium code: May 31 . By the way, SPDY will also stop working.
Decision
')
In order not to lose support for HTTP / 2, you should now take care of support for ALPN. Of course, you can dramatically switch to Ubuntu 16.04, but I think that this does not suit everyone.
The recipe for the solution is fairly straightforward and clear: you need to build Nginx on the basis of fresh OpenSSL.
Getting down to business:
0. Install Nginx from the official repository . This gives us the installation of the server startup script and will be needed for further work. After installing the repository, you need to comment out, so that subsequent updates do not tear down our custom Nginx.
1. Downloading the Nginx and OpenSSL sources (the versions are listed at the time of this writing):
wget https://www.openssl.org/source/openssl-1.0.2h.tar.gz wget http://nginx.org/download/nginx-1.10.0.tar.gz 2. Unpack the archives.
3. Install packages for successful Nginx assembly:
sudo apt-get -y install build-essential libpcre3 libpcre3-dev zlib1g-dev checkinstall sudo apt-get build-dep nginx 4. Configure Nginx. To do this, copy the output part of the nginx -V command with the addition of the OpenSSL source folder (- with-openssl = / home / db / openssl-1.0.2h ). I got the following (I removed the GeoIP module):
--prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_perl_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' --with-openssl=/home/db/openssl-1.0.2h If errors occur in the config process, most likely no dependencies are found. This is usually treated by installing packages of the form: libXYZ-dev .
5. We collect Nginx (in the source folder):
make 6. Then you can do just make install, but we will assemble the module. It will be more convenient and neat (you can update, delete, etc.) For this:
sudo checkinstall --pkgname=nginx --pkgversion=1.10.0 --nodoc In the process of building the module, you will need to enter a description of the module, you can leave something like Nginx + OpenSSL 1.0.2. After that, the package should be installed. It can also be transferred between similar systems and installed as usual:
dpkg -i nginx_1.10.0-1_amd64.deb 7. Check APLN support here or on the command line (version 1.0.2+ should be on the system)
echo | openssl s_client -alpn h2 -connect your-host:443 | grep ALPN That's all!
Source: https://habr.com/ru/post/301452/
All Articles