Issues building Nginx using boringssl

杨金泽
  • 20 Feb '24
Hello,
I encountered the following error when using boringssl to build Nginx:
checking for OpenSSL library ... not found
checking for OpenSSL library in /usr/local/ ... not found
checking for OpenSSL library in /usr/pkg/ ... not found
checking for OpenSSL library in /opt/local/ ... not found
./auto/configure: error: SSL modules require the OpenSSL library.
You can either do not enable the modules, or install the OpenSSL library
into the system, or build the OpenSSL library statically from the source
with nginx by using --with-openssl=<path> option.

At first I thought it was caused by openssl not existing, but when I ran
openssl version -a, everything was normal:
root at iZ2hmeokcpbj42Z ~/nginx # openssl version -a
OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)
built on: Mon Oct 23 17:52:22 2023 UTC
platform: debian-amd64
options: bn(64,64)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall
-fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2
-Wa,--noexecstack -g -O2 -ffile-prefix-map=
/build/reproducible-path/openssl-3.0.11=. -fstack-protector-strong -Wformat
-Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC
-DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-3"
MODULESDIR: "/usr/lib/x86_64-linux-gnu/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_ia32cap=0xfffa32035f8bffff:0xd01e4fbb

Later my friend and I discovered that the latest boringssl compatible
OpenSSL version seems to have been upgraded to 3.2.x, but I am not sure if
this is the problem. The final solution was to switch to
https://github.com/google/boringssl
/commit/c39e6cd9ec5acebb6de2adffc03cfe03b07f08ab this commit.But I don't
think switching to a previous commit to build is a perfect solution, so I'd
like to ask for some help.

My build steps are as follows:
apt update
apt install build-essential ca-certificates zlib1g-dev libpcre3
libpcre3-dev tar unzip libssl-dev wget curl git cmake ninja-build mercurial
libunwind-dev pkg-config

git clone https://github.com/google/boringssl.git
cd boringssl
mkdir build
cd build
cmake -GNinja ..
ninja
cd ../..

git clone --recurse-submodules -j8 https://github.com/google/ngx_brotli
cd ngx_brotli/deps/brotli
mkdir out && cd out
cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF
-DCMAKE_C_FLAGS="-Ofast -m64 -march=native -mtune=native -flto
-funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections"
-DCMAKE_CXX_FLAGS ="-Ofast -m64 -march=native -mtune=native -flto
-funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections"
-DCMAKE_INSTALL_PREFIX=./installed ..
cmake --build . --config Release --target brotlienc
cd ../../../..

hg clone https://hg.nginx.org/nginx
cd nginx
./auto/configure --user=www --group=www --prefix=/www/server/nginx
--with-pcre --add-module=/root/ngx_brotli --with-http_v2_module
--with-stream --with-stream_ssl_module --with-http_ssl_module
--with-http_gzip_static_module --with-http_gunzip_module
--with-http_sub_module --with-http_flv_module --with-http_addition_module
--with-http_realip_module --with-http_mp4_module --with-ld -opt=-Wl,-E
--with-cc-opt=-Wno-error --with-ld-opt=-ljemalloc --with-http_dav_module
--with-http_v3_module --with-cc-opt=-I ../boringssl/include
--with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto'
make
make install

System information:
checking for OS
+ Linux 6.1.0-18-amd64 x86_64
checking for C compiler ... found
+ using GNU C compiler
+ gcc version: 12.2.0 (Debian 12.2.0-14)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20240220/69fffd00/attachment-0001.htm>
J
Jeffrey
  • 20 Feb '24
On Tue, Feb 20, 2024 at 12:23 AM 杨金泽 <rttwyjz at gmail.com> wrote:
>
> I encountered the following error when using boringssl to build Nginx:
> checking for OpenSSL library ... not found
> checking for OpenSSL library in /usr/local/ ... not found
> checking for OpenSSL library in /usr/pkg/ ... not found
> checking for OpenSSL library in /opt/local/ ... not found
> ./auto/configure: error: SSL modules require the OpenSSL library.
> You can either do not enable the modules, or install the OpenSSL library
> into the system, or build the OpenSSL library statically from the source
> with nginx by using --with-openssl=<path> option.
>
> At first I thought it was caused by openssl not existing, but when I ran openssl version -a, everything was normal:
> root at iZ2hmeokcpbj42Z ~/nginx # openssl version -a
> OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)
> built on: Mon Oct 23 17:52:22 2023 UTC
> platform: debian-amd64
> options: bn(64,64)
> compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2 -Wa,--noexecstack -g -O2 -ffile-prefix-map= /build/reproducible-path/openssl-3.0.11=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
> OPENSSLDIR: "/usr/lib/ssl"
> ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-3"
> MODULESDIR: "/usr/lib/x86_64-linux-gnu/ossl-modules"
> Seeding source: os-specific
> CPUINFO: OPENSSL_ia32cap=0xfffa32035f8bffff:0xd01e4fbb
>
> Later my friend and I discovered that the latest boringssl compatible OpenSSL version seems to have been upgraded to 3.2.x, but I am not sure if this is the problem. The final solution was to switch to https://github.com/google/boringssl /commit/c39e6cd9ec5acebb6de2adffc03cfe03b07f08ab this commit.But I don't think switching to a previous commit to build is a perfect solution, so I'd like to ask for some help.
>
> My build steps are as follows:
> apt update
> apt install build-essential ca-certificates zlib1g-dev libpcre3 libpcre3-dev tar unzip libssl-dev wget curl git cmake ninja-build mercurial libunwind-dev pkg-config
>
> git clone https://github.com/google/boringssl.git
> cd boringssl
> mkdir build
> cd build
> cmake -GNinja ..
> ninja
> cd ../..
>
> git clone --recurse-submodules -j8 https://github.com/google/ngx_brotli
> cd ngx_brotli/deps/brotli
> mkdir out && cd out
> cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF -DCMAKE_C_FLAGS="-Ofast -m64 -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_CXX_FLAGS ="-Ofast -m64 -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_INSTALL_PREFIX=./installed ..
> cmake --build . --config Release --target brotlienc
> cd ../../../..
>
> hg clone https://hg.nginx.org/nginx
> cd nginx
> ./auto/configure --user=www --group=www --prefix=/www/server/nginx --with-pcre --add-module=/root/ngx_brotli --with-http_v2_module --with-stream --with-stream_ssl_module --with-http_ssl_module --with-http_gzip_static_module --with-http_gunzip_module --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-ld -opt=-Wl,-E --with-cc-opt=-Wno-error --with-ld-opt=-ljemalloc --with-http_dav_module --with-http_v3_module --with-cc-opt=-I ../boringssl/include --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto'
> make
> make install
>
> System information:
> checking for OS
> + Linux 6.1.0-18-amd64 x86_64
> checking for C compiler ... found
> + using GNU C compiler
> + gcc version: 12.2.0 (Debian 12.2.0-14)

This does not look correct to me, based on my knowledge of OpenSSL. (I
don't have experience with BoringSSL):

    --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto'

You are trying to link two OpenSSL-compatible libraries. They are
libcrypto.{a|so}, and libssl.{a|so}. Those artifacts are usually
placed in a  lib/ directory, not in separate ssl/ and crypto/
directories. (Two separate directories may be a BoringSSL-ism).

So I believe the proper flag would be similar to:

    --with-ld-opt='-L../boringssl/build/lib

You should also consider using the the following option so the library
used at runtime is the same library used at compile and link time:

    -Wl,-rpath=../boringssl/build/lib -Wl,--enable-new-dtags

But you should change ../boringssl/build/lib to the full path, and not
use the relative path.

Also see <https://wiki.openssl.org/index.php/Compilation_and_Installation#Using_RPATHs>
or the BoringSSL equivalent document.

Jeff
S
Sergey
  • 20 Feb '24
> On 20 Feb 2024, at 09:22, 杨金泽 <rttwyjz at gmail.com> wrote:
> 
> Hello,
> I encountered the following error when using boringssl to build Nginx:
> checking for OpenSSL library ... not found
> checking for OpenSSL library in /usr/local/ ... not found
> checking for OpenSSL library in /usr/pkg/ ... not found
> checking for OpenSSL library in /opt/local/ ... not found
> ./auto/configure: error: SSL modules require the OpenSSL library.
> You can either do not enable the modules, or install the OpenSSL library
> into the system, or build the OpenSSL library statically from the source
> with nginx by using --with-openssl=<path> option.

Regardless of a pilot error (trimmed), there is indeed a breaking
change in BoringSSL, which now expects C++ runtime environment in
libssl, see git revision c52806157c97105da7fdc2b021d0a0fcd5186bf3,
which basically means it can no longer be used in pure C programs.
Someday they will hopefully fix that, meanwhile you may want to:
- switch to C++ linker as described in the revision;
- build libssl as a shared library (see BUILDING.md in sources);
- use some other workarounds when linking with BoringSSL statically,
  such as explicit linking with libstdc++/libc++.

-- 
Sergey Kandaurov
  • Page 1 of 1
Reply