Shulou(Shulou.com)05/31 Report--

This article introduces the knowledge of "how to use LibreSSL in Nginx server". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Installation

Libressl is compiled directly from the source code, and the output of the build process is very concise, with test cases and parallel build support provided by the source code (see appendix).

# option for building and installing libressl $. / configure-- prefix=/usr ldflags=-lrt & & make check & & sudo make install

The newly installed libressl can replace openssl to run in the same way, but be aware that, as sabotage-linux 's spencerjohn and gentoo's hanno b ö ck say, it can be troublesome to completely replace openssl in the operating system with libressl. [3,4]

Libressl reports that its version is libressl 2.0, and the openssl command is used in the same way as openssl:

The copy code is as follows:

$which openssl

/ usr/bin/openssl

$openssl version

Libressl 2.0

$openssl s_client-host www.openssl.org-port 443

Connected (00000003)

Depth=2 c = be, o = globalsign nv-sa, ou = root ca, cn = globalsign root ca

Verify error:num=19:self signed certificate in certificate chain

Verify return:0

-

Certificate chain

0 s:/c=gb/ou=domain control validated/cn=*.openssl.org

I:/c=be/o=globalsign nv-sa/cn=globalsign domain validation ca-G2

1 s:/c=be/o=globalsign nv-sa/ou=root ca/cn=globalsign root ca

I:/c=be/o=globalsign nv-sa/ou=root ca/cn=globalsign root ca

2 s:/c=be/o=globalsign nv-sa/cn=globalsign domain validation ca-G2

I:/c=be/o=globalsign nv-sa/ou=root ca/cn=globalsign root ca

-

Server certificate

-begin certificate-

... Skip

-end certificate-

Subject=/c=gb/ou=domain control validated/cn=*.openssl.org

Issuer=/c=be/o=globalsign nv-sa/cn=globalsign domain validation ca-G2

-

No client certificate ca names sent

-

Ssl handshake has read 4136 bytes and written 707 bytes

-

New, tlsv1/sslv3, cipher is dhe-rsa-aes256-gcm-sha384

Server public key is 2048 bit

Secure renegotiation is supported

Compression: none

Expansion: none

Ssl-session:

Protocol: tlsv1.2

Cipher: dhe-rsa-aes256-gcm-sha384

Tls session ticket lifetime hint: 300 (seconds)

Tls session ticket:

Once I confirmed that libressl could be used, I started to ask nginx to use libressl. Although in older systems that still use openssl 0.9.x, I usually build nginx+openssl statically to make the latest and best versions of tls available. On your first attempt, using only. / configure-- with-openssl=/path/to/libressl is a big mistake, because nginx is fully integrated with the openssl build process:

You can use a script called. / config instead of. / configure (easy to solve)

Openssl collects objects (.obj) files and other files under .openssl / lib to link into binaries and library files, while libressl stores these files separately in crypto/.libs and ssl/.libs.

Try to resolve these problems by manually setting up a directory hierarchy (.openssl / lib) and copying files based on the error message that occurs after a successful build of libressl (see the error message below); when compiling libressl, I see an error prompt similar to that that can be resolved by using the ldflags=-lrt option, but I still can't fix it when I try to compile nginx and link to a statically compiled libressl library (but I continue):

The copy code is as follows:

...

Objs/addon/nginx-upstream-fair/ngx_http_upstream_fair_module.o\

Objs/addon/src/ngx_http_headers_more_filter_module.o\

Objs/addon/src/ngx_http_headers_more_headers_out.o\

Objs/addon/src/ngx_http_headers_more_headers_in.o\

Objs/addon/src/ngx_http_headers_more_util.o\

Objs/addon/src/ngx_http_encrypted_session_module.o\

Objs/addon/src/ngx_http_encrypted_session_cipher.o\

Objs/ngx_modules.o\

-wl,-e-lpthread-lcrypt-l/usr/lib-lm-llua5.1-lpcre / data/builds/froggstack/nginx_modules/openssl/.openssl/lib/libssl.a / data/builds/froggstack/nginx_modules/openssl/.openssl/lib/libcrypto.a-ldl-lz

/ data/builds/froggstack/nginx_modules/openssl/.openssl/lib/libcrypto.a (libcompat_la-getentropy_linux.o): in function `getentropy_fallback':

/ data/builds/froggstack/nginx_modules/openssl/crypto/compat/getentropy_linux.c:324: undefined reference to `clock_gettime'

/ data/builds/froggstack/nginx_modules/openssl/crypto/compat/getentropy_linux.c:395: undefined reference to `clock_gettime'

Collect2: error: ld returned 1 exit status

Make [1]: * * [objs/nginx] error 1

Make [1]: leaving directory `/ data/builds/froggstack/src_nginx/nginx-1.6.0'

Make: * * [build] error 2

The next attempt was to build nginx by linking to libressl's dynamic library with libressl installed, and eventually succeeded (see appendix for the full nginx. / configure option parameters). Run the nginx-libressl-t test successfully, replace / usr/bin/nginx with the new binary executable file and run / etc/init.d/nginx restart, and the updated nginx + libressl is online. Any configuration files and ssl configuration of nginx do not need to be modified, which is very good!

test

Testing on various linux and android browsers found no problems; even using console browsers like W3m on a forgotten debian 5 with openssl 0.9.8g 19 released in October 2007.

The score of the test on ssllabs.com is the same as the previous configuration; after using libressl, the only hint is that the encryption algorithm chacha20-poly1305 is still in the experimental stage.

A small performance test showed that there was no big problem; libressl was 4% slower than the average. The reason may be that openssl is statically linked to nginx, while libressl is dynamically linked to nginx, resulting in more resource overhead.

Test results of pure numbers:

The copy code is as follows:

| | parallel requests | openssl-rps | libressl-rps |

| | 10 | 2341.75 | 2260.5 |

| | 20 | 2459.75 | 2418.25 |

| | 30 | 2472 | 2397 |

| | 40 | 2485 | 2384.5 |

| | 50 | 2445 | 2382.25 |

| | 60 | 2453.25 | 2390.75 |

| | 70 | 2426.25 | 2347.25 |

| | 80 | 2346.5 | 2227.5 |

| | 90 | 2325.5 | 2211 |

| | 2297.75 | 2297.75 | 2318.25 |

Some instructions on how to test performance may be found in the appendix.

That's all for "how to use LibreSSL in Nginx Server". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.