Welcome! Log In Create A New Profile


New module: Nginx OpenSSL version check

Phil Pennock
April 08, 2014 10:12PM
On behalf of my employer, Apcera Inc, we are delighted to make available
a new Nginx module, providing for a start-up OpenSSL version check for
those who wish for a little more belt&braces protection.


The README.md file explains the rationale. The simplest configuration
is to make no configuration change, so that you just get a log message
to the error log at notice level, at start-up, stating which version of
OpenSSL the code was built against and which was found at runtime.

The most complicated configuration is to add one line to your
configuration in the global section:

openssl_version_minimum 1.0.1g;

With this, if the runtime library loaded in is not at least of this
level, then there is a fatal configuration error and nginx will refuse
to start.

Dedicated to all those who have ever had to debug interactions between
setcap for net-bind privilege marked on a binary, the runtime linker,
concepts of what is or is not setuid and what is or is not safe in such
a situation and finding that not even the runtime linker will tell you
honestly which version of the library will _actually_ be used, only
lsof(8) will, by showing which file was _actually_ mmap'd into your
address space. Like many others, my Monday night was _fun_.

Regards, and may you sleep more soundly,
-Phil Pennock, Apcera Inc.

nginx mailing list
Subject Author Posted

New module: Nginx OpenSSL version check

Phil Pennock April 08, 2014 10:12PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 77
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready