Welcome! Log In Create A New Profile

Advanced

Re: Centos 6.5 and ECDH ciphers in nginx.org Centos repo

Jeffrey Walton
January 06, 2014 05:28AM
On Mon, Jan 6, 2014 at 5:10 AM, Nick Jenkin <nick@thenile.com.au> wrote:
> RHEL used 1.0.0 in 6.4, however in 6.5 it was updated to OpenSSL 1.0.1e-fips 11 Feb 2013
> See: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/6.5_Release_Notes/
>
> Like I said, if I compile nginx myself it ECDH works fine. It’s the nginx.org binaries that do not work. So it would appear the nginx.org binaries are statically compiled against the older version...

That's easy enought to check. Run ldd on it an look for an OpenSSL
dependency. If SSL/TLS is eanbled and the dependency is missing, then
nginx was statically linked against OpenSSL. Below, nginx was built
with a dependency on the shared object.

$ ldd objs/nginx
linux-vdso.so.1 => (0x00007fff85f96000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f9f0345b000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f9f0323f000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f9f03007000)
libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007f9f02dca000)
libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x00007f9f02b6a000)
libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
(0x00007f9f02785000)
...

> so I guess the question is when will the nginx.org builds be built on 6.5?
Sorry, I can't help. I believe that's a question for the Red Hat or
CentOS folks.

Jeff

> On 6 Jan 2014, at 9:07 pm, Jeffrey Walton <noloader@gmail.com> wrote:
>
>> On Sun, Jan 5, 2014 at 10:56 PM, Nick Jenkin <nick@thenile.com.au> wrote:
>>> Hi
>>>
>>> In Centos 6.5 (and RHEL 6.5) the ECDH ciphers were enabled. There appears to be an issue with the nginx.org 1.5.8 Centos binaries still not having support for ECDHE despite having updated openssl 1.01e with elliptic curves.
>>>
>>> If I compile from source, ECDH works fine. Is there something wrong with the centos binaries?
>>>
>> http://unix.stackexchange.com/questions/84283/how-can-i-get-tlsv1-2-support-in-apache-on-rhel6-centos-sl6
>>
>> Though the question is about Apache, it specifically calls out nginx
>> as needing a recompile on the platform after updating from OpenSSL
>> 1.0.0 to OpenSSL 1.0.1 due to static linking.
>>

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Centos 6.5 and ECDH ciphers in nginx.org Centos repo

Nick Jenkin January 05, 2014 10:58PM

Re: Centos 6.5 and ECDH ciphers in nginx.org Centos repo

Jeffrey Walton January 06, 2014 05:08AM

Re: Centos 6.5 and ECDH ciphers in nginx.org Centos repo

Nick Jenkin January 06, 2014 05:12AM

Re: Centos 6.5 and ECDH ciphers in nginx.org Centos repo

Jeffrey Walton January 06, 2014 05:28AM

Re: Centos 6.5 and ECDH ciphers in nginx.org Centos repo

Maxim Dounin January 06, 2014 07:56AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 169
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready