grahamedgecombe / nginx-ct Goto Github PK
View Code? Open in Web Editor NEWCertificate Transparency module for nginx.
Home Page: https://grahamedgecombe.com/projects/nginx-ct
License: ISC License
Certificate Transparency module for nginx.
Home Page: https://grahamedgecombe.com/projects/nginx-ct
License: ISC License
I've started looking at implementing this.
Looks like the first thing to do is to replace SSL_CTX_add_server_custom_ext
with SSL_CTX_add_custom_ext
on OpenSSL >= 1.1.1. This will allow us to drop the SSL_EXT_TLS1_2_AND_BELOW_ONLY
flag.
Since I've installed it, and I installed it correctly, I get these errors in my nginx 1.15.1 error logs every day, tons of them. Disabling it fixed the issue.
2018/07/06 15:57:03 [warn] 19687#19687: *287966 SSL_set_current_cert failed while SSL handshaking, client: 70.48.61.228, server: 0.0.0.0:443
2018/07/06 15:57:03 [crit] 19687#19687: *287966 SSL_do_handshake() failed (SSL: error:1422A0EA:SSL routines:custom_ext_add:callback failed) while SSL
handshaking, client: 70.48.61.228, server: 0.0.0.0:443
The error given by the BROWSER is ERR_SSL_PROTOCOL_ERROR
Verified with the Epic privacy browser using Chromium Version 62.0.3202.94. Users can possibly join the http page, switch to https but thereafter no navigation possible over https.
I know another user has reported similar behavior for Chromium 64.
I know that Chromiun 66 and 67 are working well. Chromium 65 untested as well Chromium 45-61.
Would like to get that addressed, otherwise would be forced to disable it permanently. We're losing users and potential customers.
Willing to help/assist in tests if need be,
best regards!
Using OpenSSL 1.0.2k from CentOS 7.4 with Nginx 1.13.5, ngx_mail_ssl_ct_module and ngx_stream_ssl_ct_module do not compile. ngx_ssl_ct_module and ngx_http_ssl_ct_module are built properly.
./configure --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --add-dynamic-module=nginx-ct-1.3.2
Hey,
I tried to build new nginx with nginx-ct today and have been getting these errors:
../nginx-ct/ngx_ssl_ct_module.c: In function ‘ngx_ssl_ct_merge_srv_conf’: ../nginx-ct/ngx_ssl_ct_module.c:164:19: error: ‘SSL_EXT_CLIENT_HELLO’ undeclared (first use in this function) int context = SSL_EXT_CLIENT_HELLO ^~~~~~~~~~~~~~~~~~~~ ../nginx-ct/ngx_ssl_ct_module.c:164:19: note: each undeclared identifier is reported only once for each function it appears in ../nginx-ct/ngx_ssl_ct_module.c:165:19: error: ‘SSL_EXT_TLS1_2_SERVER_HELLO’ undeclared (first use in this function) | SSL_EXT_TLS1_2_SERVER_HELLO ^~~~~~~~~~~~~~~~~~~~~~~~~~~ ../nginx-ct/ngx_ssl_ct_module.c:166:19: error: ‘SSL_EXT_TLS1_3_CERTIFICATE’ undeclared (first use in this function) | SSL_EXT_TLS1_3_CERTIFICATE; ^~~~~~~~~~~~~~~~~~~~~~~~~~ ../nginx-ct/ngx_ssl_ct_module.c:167:9: error: implicit declaration of function ‘SSL_CTX_add_custom_ext’ [-Werror=implicit-function-declaration] if (SSL_CTX_add_custom_ext(ssl_ctx, NGX_SSL_CT_EXT, context, ^~~~~~~~~~~~~~~~~~~~~~ ../nginx-ct/ngx_ssl_ct_module.c: In function ‘ngx_ssl_ct_ext_cb’: ../nginx-ct/ngx_ssl_ct_module.c:192:20: error: ‘SSL_EXT_TLS1_3_CERTIFICATE’ undeclared (first use in this function) if (context == SSL_EXT_TLS1_3_CERTIFICATE && chainidx != 0) { ^~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors objs/Makefile:1524: recipe for target 'objs/addon/nginx-ct/ngx_ssl_ct_module.o' failed make[1]: *** [objs/addon/nginx-ct/ngx_ssl_ct_module.o] Error 1
Same errror occurs on both dynamic and non dynamic module.
/opt/src/nginx-ct-master/ngx_http_ssl_ct_module.c:167:9: warning: implicit declaration of function 'SSL_CTX_add_server_custom_ext' is invalid in C99 [-Wimplicit-function-declaration]
if (SSL_CTX_add_server_custom_ext(ssl_conf->ssl.ctx, NGX_HTTP_SSL_CT_EXT,
^
1 warning generated.
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: .libs/libpcre.a(libpcre_la-pcre_string_utils.o) has no symbols
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: .libs/libpcre.a(libpcre_la-pcre_string_utils.o) has no symbols
Undefined symbols for architecture x86_64:
"_SSL_CTX_add_server_custom_ext", referenced from:
_ngx_http_ssl_ct_merge_srv_conf in ngx_http_ssl_ct_module.o
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make[1]: *** [objs/nginx] Error 1
make: *** [build] Error 2
I using last nginx-ct with nginx 1.13.9 and openssl 1.1.1(alpha2)
when using ct we have a bug in chrome 64.0.3282.186
when you open site the all is good, but don’t close the tab and wait 5-10min and than refresh site with f5 and you will get ssl error(ERR_SSL_VERSION_INTERFERENCE on windows) and can’t open site while not close browser or restart nginx.
Also ct works with that openssl only if you write ct vars in block with default_server.
I tried to compile with Nginx 1.17.5 and get the following error when nginx-ct is compiled as dynamic module:
nginx: [emerg] dlsym() "/etc/nginx/ngx_ssl_ct_module.so", "ngx_modules" failed (/etc/nginx/ngx_ssl_ct_module.so: undefined symbol: ngx_modules) in /etc/nginx/nginx.conf:1
nginx: configuration file /etc/nginx/nginx.conf test failed
If the directory has a few valid SCTs and an empty file, nginx will serve the response but it will be malformed. Specifically, Chrome will report 0 SCTs and CFNetwork (Safari) will fail to access the website at all.
Here's the test case, the good server and bad server:
good: https://patpat.vm.prod.zone/
bad: https://brokensct.patpat.vm.prod.zone/
The bad server has exactly the same config, with one empty file added to scts directory.
Building with nginx 1.10.3 and ./configure --add-dynamic-module=../nginx-ct-1.3.2 --with-http_ssl_module
sudo nginx -t
nginx: [emerg] module "/usr/share/nginx/modules/ngx_ssl_ct_module.so" is not binary compatible in /etc/nginx/modules-enabled/load_modules.conf:1
nginx: configuration file /etc/nginx/nginx.conf test failed
$ sudo nginx -V
nginx version: nginx/1.10.3
built with OpenSSL 1.1.0f 25 May 2017
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-2tpxfc/nginx-1.10.3=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nginx-auth-pam --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nginx-dav-ext-module --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nginx-echo --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nginx-upstream-fair --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/ngx_http_substitutions_filter_module
$ openssl version
OpenSSL 1.1.0f 25 May 2017
Hello, I encountered this error on ubuntu 22.04, it ships with openssl3. Any idea?
root@b8ab3399ba7b:/etc/nginx/modules-enabled# ln -s ../modules-available/mod-http-ssl-ct.conf .
root@b8ab3399ba7b:/etc/nginx/modules-enabled# nginx -t
nginx: [emerg] dlopen() "/usr/share/nginx/modules/ngx_http_ssl_ct_module.so" failed (/usr/share/nginx/modules/ngx_http_ssl_ct_module.so: undefined symbol: ngx_ssl_ct_create_srv_conf) in /etc/nginx/modules-enabled/mod-http-ssl-ct.conf:1
nginx: configuration file /etc/nginx/nginx.conf test failed
HI,
i don't really understand how to i dynamically use this file.
Then this line occured when i try to start nginx.
Sep 02 15:59:03 las2 nginx[26339]: nginx: [emerg] dlopen() "/usr/lib64/nginx/modules/nginx-ct-master/ngx_http_ssl_ct_module.c" failed (/usr/lib64/nginx/modules/nginx-ct-master/ngx_http_ssl_ct_module.c: invalid ELF header) in /etc/nginx/nginx.conf:8
Did i do something wrong ?
Nginx version is 1.13.4
Openssl version is OpenSSL 1.1.0f 25 May 2017
Centos 7
Thanks.
Used nginx version: 1.11.10 (current mainline version)
Used nginx-ct version: current source code
Used OpenSSL version: 1.1.0e (2017-Feb-16)
cc -c -fPIC -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -I src/core -I src/event -I src/event/modules -I src/os/unix -I ../nginx-rtmp -I objs -I src/http -I src/http/modules -I src/http/v2 -I src/mail -I src/stream \
-o objs/addon/nginx-ct/ngx_ssl_ct_module.o \
../nginx-ct/ngx_ssl_ct_module.c
../nginx-ct/ngx_ssl_ct_module.c: In function ‘ngx_ssl_ct_merge_srv_conf’:
../nginx-ct/ngx_ssl_ct_module.c:175:5: error: implicit declaration of function ‘SSL_CTX_add_server_custom_ext’ [-Werror=implicit-function-declaration]
if (SSL_CTX_add_server_custom_ext(ssl_ctx, NGX_SSL_CT_EXT,
^
../nginx-ct/ngx_ssl_ct_module.c: In function ‘ngx_ssl_ct_ext_cb’:
../nginx-ct/ngx_ssl_ct_module.c:192:5: error: implicit declaration of function ‘SSL_set_current_cert’ [-Werror=implicit-function-declaration]
int result = SSL_set_current_cert(s, SSL_CERT_SET_SERVER);
^
../nginx-ct/ngx_ssl_ct_module.c:192:42: error: ‘SSL_CERT_SET_SERVER’ undeclared (first use in this function)
int result = SSL_set_current_cert(s, SSL_CERT_SET_SERVER);
^
../nginx-ct/ngx_ssl_ct_module.c:192:42: note: each undeclared identifier is reported only once for each function it appears in
cc1: all warnings being treated as errors
objs/Makefile:2077: recipe for target 'objs/addon/nginx-ct/ngx_ssl_ct_module.o' failed
make[1]: *** [objs/addon/nginx-ct/ngx_ssl_ct_module.o] Error 1
How can I solve this?
Hi,
Any variants with existing temporary solutions lead to an error:
-o objs/addon/ngx_ct/ngx_ssl_ct_module.o \
/…/ngx_ct/ngx_ssl_ct_module.c
/…/ngx_ct/ngx_ssl_ct_module.c: In function ‘ngx_ssl_ct_merge_srv_conf’:
/…/ngx_ct/ngx_ssl_ct_module.c:164:19: error: ‘SSL_EXT_CLIENT_HELLO’ undeclared (first use in this function)
int context = SSL_EXT_CLIENT_HELLO
^
/…/ngx_ct/ngx_ssl_ct_module.c:164:19: note: each undeclared identifier is reported only once for each function it appears in
/…/ngx_ct/ngx_ssl_ct_module.c:165:19: error: ‘SSL_EXT_TLS1_2_SERVER_HELLO’ undeclared (first use in this function)
| SSL_EXT_TLS1_2_SERVER_HELLO
^
/…/ngx_ct/ngx_ssl_ct_module.c:166:19: error: ‘SSL_EXT_TLS1_3_CERTIFICATE’ undeclared (first use in this function)
| SSL_EXT_TLS1_3_CERTIFICATE;
^
/…/ngx_ct/ngx_ssl_ct_module.c:167:5: warning: implicit declaration of function ‘SSL_CTX_add_custom_ext’ [-Wimplicit-function-declaration]
if (SSL_CTX_add_custom_ext(ssl_ctx, NGX_SSL_CT_EXT, context,
^
/…/ngx_ct/ngx_ssl_ct_module.c: In function ‘ngx_ssl_ct_ext_cb’:
/…/ngx_ct/ngx_ssl_ct_module.c:192:20: error: ‘SSL_EXT_TLS1_3_CERTIFICATE’ undeclared (first use in this function)
if (context == SSL_EXT_TLS1_3_CERTIFICATE && chainidx != 0) {
^
make[1]: *** [objs/addon/ngx_ct/ngx_ssl_ct_module.o] Error 1
Has anyone found a solution?
Tnx!
Use libressl-2.2.4 compiler can not be completed
http://pastebin.com/4aNvupyh
cc -o objs/nginx objs/src/core/nginx.o objs/src/core/ngx_log.o objs/src/core/ngx_palloc.o objs/src/core/ngx_array.o objs/src/core/ngx_list.o objs/src/core/ngx_hash.o objs/src/core/ngx_buf.o objs/src/core/ngx_queue.o objs/src/core/ngx_output_chain.o objs/src/core/ngx_string.o objs/src/core/ngx_parse.o objs/src/core/ngx_parse_time.o objs/src/core/ngx_inet.o objs/src/core/ngx_file.o objs/src/core/ngx_crc32.o objs/src/core/ngx_murmurhash.o objs/src/core/ngx_md5.o objs/src/core/ngx_rbtree.o objs/src/core/ngx_radix_tree.o objs/src/core/ngx_slab.o objs/src/core/ngx_times.o objs/src/core/ngx_shmtx.o objs/src/core/ngx_connection.o objs/src/core/ngx_cycle.o objs/src/core/ngx_spinlock.o objs/src/core/ngx_rwlock.o objs/src/core/ngx_cpuinfo.o objs/src/core/ngx_conf_file.o objs/src/core/ngx_resolver.o objs/src/core/ngx_open_file_cache.o objs/src/core/ngx_crypt.o objs/src/core/ngx_proxy_protocol.o objs/src/core/ngx_syslog.o objs/src/event/ngx_event.o objs/src/event/ngx_event_timer.o objs/src/event/ngx_event_posted.o objs/src/event/ngx_event_accept.o objs/src/event/ngx_event_connect.o objs/src/event/ngx_event_pipe.o objs/src/os/unix/ngx_time.o objs/src/os/unix/ngx_errno.o objs/src/os/unix/ngx_alloc.o objs/src/os/unix/ngx_files.o objs/src/os/unix/ngx_socket.o objs/src/os/unix/ngx_recv.o objs/src/os/unix/ngx_readv_chain.o objs/src/os/unix/ngx_udp_recv.o objs/src/os/unix/ngx_send.o objs/src/os/unix/ngx_writev_chain.o objs/src/os/unix/ngx_channel.o objs/src/os/unix/ngx_shmem.o objs/src/os/unix/ngx_process.o objs/src/os/unix/ngx_daemon.o objs/src/os/unix/ngx_setaffinity.o objs/src/os/unix/ngx_setproctitle.o objs/src/os/unix/ngx_posix_init.o objs/src/os/unix/ngx_user.o objs/src/os/unix/ngx_process_cycle.o objs/src/os/unix/ngx_freebsd_init.o objs/src/os/unix/ngx_freebsd_sendfile_chain.o objs/src/event/modules/ngx_kqueue_module.o objs/src/event/ngx_event_openssl.o objs/src/event/ngx_event_openssl_stapling.o objs/src/core/ngx_regex.o objs/src/http/ngx_http.o objs/src/http/ngx_http_core_module.o objs/src/http/ngx_http_special_response.o objs/src/http/ngx_http_request.o objs/src/http/ngx_http_parse.o objs/src/http/ngx_http_header_filter_module.o objs/src/http/ngx_http_write_filter_module.o objs/src/http/ngx_http_copy_filter_module.o objs/src/http/modules/ngx_http_log_module.o objs/src/http/ngx_http_request_body.o objs/src/http/ngx_http_variables.o objs/src/http/ngx_http_script.o objs/src/http/ngx_http_upstream.o objs/src/http/ngx_http_upstream_round_robin.o objs/src/http/modules/ngx_http_static_module.o objs/src/http/modules/ngx_http_index_module.o objs/src/http/modules/ngx_http_chunked_filter_module.o objs/src/http/modules/ngx_http_range_filter_module.o objs/src/http/modules/ngx_http_headers_filter_module.o objs/src/http/modules/ngx_http_not_modified_filter_module.o objs/src/http/ngx_http_file_cache.o objs/src/http/modules/ngx_http_gzip_filter_module.o objs/src/http/ngx_http_postpone_filter_module.o objs/src/http/modules/ngx_http_ssi_filter_module.o objs/src/http/modules/ngx_http_charset_filter_module.o objs/src/http/modules/ngx_http_userid_filter_module.o objs/src/http/v2/ngx_http_v2.o objs/src/http/v2/ngx_http_v2_table.o objs/src/http/v2/ngx_http_v2_huff_decode.o objs/src/http/v2/ngx_http_v2_huff_encode.o objs/src/http/v2/ngx_http_v2_module.o objs/src/http/v2/ngx_http_v2_filter_module.o objs/src/http/modules/ngx_http_autoindex_module.o objs/src/http/modules/ngx_http_auth_basic_module.o objs/src/http/modules/ngx_http_access_module.o objs/src/http/modules/ngx_http_limit_conn_module.o objs/src/http/modules/ngx_http_limit_req_module.o objs/src/http/modules/ngx_http_geo_module.o objs/src/http/modules/ngx_http_map_module.o objs/src/http/modules/ngx_http_split_clients_module.o objs/src/http/modules/ngx_http_referer_module.o objs/src/http/modules/ngx_http_rewrite_module.o objs/src/http/modules/ngx_http_ssl_module.o objs/src/http/modules/ngx_http_proxy_module.o objs/src/http/modules/ngx_http_fastcgi_module.o objs/src/http/modules/ngx_http_uwsgi_module.o objs/src/http/modules/ngx_http_scgi_module.o objs/src/http/modules/ngx_http_memcached_module.o objs/src/http/modules/ngx_http_empty_gif_module.o objs/src/http/modules/ngx_http_browser_module.o objs/src/http/modules/ngx_http_upstream_hash_module.o objs/src/http/modules/ngx_http_upstream_ip_hash_module.o objs/src/http/modules/ngx_http_upstream_least_conn_module.o objs/src/http/modules/ngx_http_upstream_keepalive_module.o objs/src/http/modules/ngx_http_upstream_zone_module.o objs/src/http/modules/ngx_http_stub_status_module.o objs/addon/nginx-ct/ngx_http_ssl_ct_module.o objs/addon/src/ngx_http_headers_more_filter_module.o objs/addon/src/ngx_http_headers_more_headers_out.o objs/addon/src/ngx_http_headers_more_headers_in.o objs/addon/src/ngx_http_headers_more_util.o objs/ngx_modules.o -L /usr/local/lib -lcrypt -lpcre -lssl -lcrypto -lz
objs/addon/nginx-ct/ngx_http_ssl_ct_module.o: In function ngx_http_ssl_ct_merge_srv_conf': /home/ghw/nginx-ct/ngx_http_ssl_ct_module.c:(.text+0x480): undefined reference to
SSL_CTX_add_server_custom_ext'
cc: error: linker command failed with exit code 1 (use -v to see invocation)
*** Error code 1
Stop.
Is ngx_ssl_ct_module required to be loaded before ngx_mail_ssl_ct_module? I intend to use only ngx_mail_ssl_ct_module and skip ngx_http_ssl_ct_module.
nginx-ct supports several versions of nginx, OpenSSL and BoringSSL. Testing by hand is becoming rather time-consuming.
It'd be good to have a set of automated tests which tested all the combinations of nginx version, SSL library, dynamic/static module, etc.
system OS:Ubuntu 16.04 64bit
objs/addon/nginx-ct-1.3.2/ngx_ssl_ct_module.o: In function `ngx_ssl_ct_ext_cb':
ngx_ssl_ct_module.c:(.text+0x68): multiple definition of `ngx_ssl_ct_ext_cb'
objs/addon/nginx-ct-1.3.2/ngx_ssl_ct_module.o:ngx_ssl_ct_module.c:(.text+0x68): first defined here
objs/addon/nginx-ct-1.3.2/ngx_ssl_ct_module.o: In function `ngx_ssl_ct_create_srv_conf':
ngx_ssl_ct_module.c:(.text+0x11c): multiple definition of `ngx_ssl_ct_create_srv_conf'
objs/addon/nginx-ct-1.3.2/ngx_ssl_ct_module.o:ngx_ssl_ct_module.c:(.text+0x11c): first defined here
objs/addon/nginx-ct-1.3.2/ngx_ssl_ct_module.o: In function `ngx_ssl_ct_read_static_scts':
ngx_ssl_ct_module.c:(.text+0x146): multiple definition of `ngx_ssl_ct_read_static_scts'
objs/addon/nginx-ct-1.3.2/ngx_ssl_ct_module.o:ngx_ssl_ct_module.c:(.text+0x146): first defined here
objs/addon/nginx-ct-1.3.2/ngx_ssl_ct_module.o: In function `ngx_ssl_ct_merge_srv_conf':
ngx_ssl_ct_module.c:(.text+0x637): multiple definition of `ngx_ssl_ct_merge_srv_conf'
objs/addon/nginx-ct-1.3.2/ngx_ssl_ct_module.o:ngx_ssl_ct_module.c:(.text+0x637): first defined here
objs/addon/nginx-ct-1.3.2/ngx_ssl_ct_module.o:(.data+0x0): multiple definition of `ngx_ssl_ct_module'
objs/addon/nginx-ct-1.3.2/ngx_ssl_ct_module.o:(.data+0x0): first defined here
objs/addon/nginx-ct-1.3.2/ngx_http_ssl_ct_module.o:(.data+0x0): multiple definition of `ngx_http_ssl_ct_module'
objs/addon/nginx-ct-1.3.2/ngx_http_ssl_ct_module.o:(.data+0x0): first defined here
collect2: error: ld returned 1 exit status
objs/Makefile:318: recipe for target 'objs/nginx' failed
make[1]: *** [objs/nginx] Error 1
make[1]: Leaving directory '/root/MistackV2/oneinstack/src/nginx-1.10.3'
Makefile:8: recipe for target 'build' failed
make: *** [build] Error 2
./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module --with-http_mp4_module --with-openssl=../openssl-1.0.2k --with-pcre-jit --with-ld-opt='-ljemalloc' --add-module=../../../ext-src/nginx-ct-1.3.2 --add-module=../../../ext-src/nginx-ct-1.3.2 --add-module=../../../ext-src/ngx_brotli-bfd2885 --add-module=../../../ext-src/ngx_cache_purge-2.3 --add-module=../../../ext-src/ngx_pagespeed-1.12.34.2-beta
./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_v2_module --with-ipv6 --add-module=../nginx-ct-1.3.0
Occurred error on make:
objs/ngx_modules.o \
-ldl -lpthread -lpthread -lcrypt -lpcre -lssl -lcrypto -ldl -lz \
-Wl,-E
objs/addon/nginx-ct-1.3.0/ngx_ssl_ct_module.o: In function `ngx_ssl_ct_ext_cb':
~/nginx-current/nginx-1.11.3/../nginx-ct-1.3.0/ngx_ssl_ct_module.c:197: undefined reference to `ssl_get_server_send_pkey'
collect2: error: ld returned 1 exit status
objs/Makefile:354: recipe for target 'objs/nginx' failed
make[1]: *** [objs/nginx] Error 1
make[1]: Leaving directory '~/nginx-current/nginx-1.11.3'
Makefile:8: recipe for target 'build' failed
make: *** [build] Error 2
It gives this output:
make
make -f objs/Makefile
make[1]: Entering directory '/home/jonny/server-files/nginx/nginx-1.13.0'
cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -Wno-deprecated-declarations -Wno-deprecated-declarations -I src/core -I src/event -I src/event/modules -I src/os/unix -I /home/jonny/server-files/nginx/nginx-rtmp-module -I /home/jonny/server-files/pcre/pcre-8.40 -I /home/jonny/server-files/openssl/openssl-1.1.1-tls1.3-draft-18/.openssl/include -I /home/jonny/server-files/zlib/zlib-1.2.11 -I objs -I src/http -I src/http/modules -I src/http/v2 -I /home/jonny/server-files/nginx/ngx_brotli/deps/brotli/include \
-o objs/addon/nginx-ct/ngx_ssl_ct_module.o \
/home/jonny/server-files/nginx/nginx-ct/ngx_ssl_ct_module.c
/home/jonny/server-files/nginx/nginx-ct/ngx_ssl_ct_module.c: In function ‘ngx_ssl_ct_merge_srv_conf’:
/home/jonny/server-files/nginx/nginx-ct/ngx_ssl_ct_module.c:164:19: error: ‘SSL_EXT_CLIENT_HELLO’ undeclared (first use in this function)
int context = SSL_EXT_CLIENT_HELLO
^
/home/jonny/server-files/nginx/nginx-ct/ngx_ssl_ct_module.c:164:19: note: each undeclared identifier is reported only once for each function it appears in
/home/jonny/server-files/nginx/nginx-ct/ngx_ssl_ct_module.c:165:19: error: ‘SSL_EXT_TLS1_2_SERVER_HELLO’ undeclared (first use in this function)
| SSL_EXT_TLS1_2_SERVER_HELLO
^
/home/jonny/server-files/nginx/nginx-ct/ngx_ssl_ct_module.c:166:19: error: ‘SSL_EXT_TLS1_3_CERTIFICATE’ undeclared (first use in this function)
| SSL_EXT_TLS1_3_CERTIFICATE;
^
/home/jonny/server-files/nginx/nginx-ct/ngx_ssl_ct_module.c:167:5: error: implicit declaration of function ‘SSL_CTX_add_custom_ext’ [-Werror=implicit-function-declaration]
if (SSL_CTX_add_custom_ext(ssl_ctx, NGX_SSL_CT_EXT, context,
^
/home/jonny/server-files/nginx/nginx-ct/ngx_ssl_ct_module.c: In function ‘ngx_ssl_ct_ext_cb’:
/home/jonny/server-files/nginx/nginx-ct/ngx_ssl_ct_module.c:192:20: error: ‘SSL_EXT_TLS1_3_CERTIFICATE’ undeclared (first use in this function)
if (context == SSL_EXT_TLS1_3_CERTIFICATE && chainidx != 0) {
^
cc1: all warnings being treated as errors
objs/Makefile:1811: recipe for target 'objs/addon/nginx-ct/ngx_ssl_ct_module.o' failed
make[1]: *** [objs/addon/nginx-ct/ngx_ssl_ct_module.o] Error 1
make[1]: Leaving directory '/home/jonny/server-files/nginx/nginx-1.13.0'
Makefile:8: recipe for target 'build' failed
make: *** [build] Error 2
Hi,
I am currently using this nginx
And recompiled it with the "--add-module=/path/to/nginx-ct"
Now I'm configuring my nginx.conf file. I know that can be a silly question but I am not experienced with nginx enviroment and compilation. I am trying to put this on my nginx.conf file:
ssl_ct on;
ssl_ct_static_scts /path/to/sct/dir;
questions:
Sorry for the very dummy questions but any help will be appreciated.
NGINX added variables support in the ssl_certificate
and ssl_certificate_key
directives a few releases ago. Would be awesome if nginx-ct
supported that too!
You should consider signing git commits & releases.
nginx: [emerg] dlopen() "/usr/lib64/nginx/modules/ngx_ssl_ct_module.so" failed (/usr/lib64/nginx/modules/ngx_ssl_ct_module.so: undefined symbol: SSL_CTX_add_custom_ext) in /etc/nginx/nginx.conf:11
nginx: configuration file /etc/nginx/nginx.conf test failed
How hard would it be to adapt the current module to also cooperate with ngx_stream_ssl_module
or ngx_mail_ssl_module
? Would it lead to too much code duplication?
Background: I have a multidomain cert from Letsencrypt which is used for all vhosts and is defined in http context, along with the path to scts. One vhost requires a client certificate, which is defined in the server context.
Result: all vhosts work as expected except for the one with a client certificate defined. That one gives an http 421 (Misdirected Request) response.
When the nginx-ct module is not loaded (and no scts are defined), that vhost works as expected.
Hello,
I'd like to use your plugin. Unfortunately I'm getting the following error when starting nginx:
nginx: [emerg] readdir() "/usr/local/nginx/conf/ssl/scts" failed (22: Invalid argument)
I'm using nginx-1.9.1
and openssl-1.0.2a
on ubuntu.
Any idea what could be causing this?
edit: I also tested this with nginx-1.9.0
(just like the guide here). Didn't help :(
Got error about "&ngx_stream_ssl_ct_merge_srv_conf" that it is not correct reference
static ngx_stream_module_t ngx_stream_ssl_ct_module_ctx = {
NULL, /* postconfiguration */
NULL, /* create main configuration */
NULL, /* init main configuration */
&ngx_ssl_ct_create_srv_conf, /* create server configuration */
&ngx_stream_ssl_ct_merge_srv_conf /* merge server configuration */
};
nginx 1.13.4 + openssl 1.1.1 draft 18 (for tls 1.3) + pcre 8.41 + nginx rtmp module
nginx-ct-master/ngx_ssl_ct_module.c: In function ‘ngx_ssl_ct_merge_srv_conf’:
nginx-ct-master/ngx_ssl_ct_module.c:164:19: error: ‘SSL_EXT_CLIENT_HELLO’ undeclared (first use in this function)
int context = SSL_EXT_CLIENT_HELLO
^
nginx-ct-master/ngx_ssl_ct_module.c:164:19: note: each undeclared identifier is reported only once for each function it appears in
nginx-ct-master/ngx_ssl_ct_module.c:165:19: error: ‘SSL_EXT_TLS1_2_SERVER_HELLO’ undeclared (first use in this function)
| SSL_EXT_TLS1_2_SERVER_HELLO
^
nginx-ct-master/ngx_ssl_ct_module.c:166:19: error: ‘SSL_EXT_TLS1_3_CERTIFICATE’ undeclared (first use in this function)
| SSL_EXT_TLS1_3_CERTIFICATE;
^
nginx-ct-master/ngx_ssl_ct_module.c:167:9: error: implicit declaration of function ‘SSL_CTX_add_custom_ext’ [-Werror=implicit-function-declaration]
if (SSL_CTX_add_custom_ext(ssl_ctx, NGX_SSL_CT_EXT, context,
^
nginx-ct-master/ngx_ssl_ct_module.c: In function ‘ngx_ssl_ct_ext_cb’:
nginx-ct-master/ngx_ssl_ct_module.c:192:20: error: ‘SSL_EXT_TLS1_3_CERTIFICATE’ undeclared (first use in this function)
if (context == SSL_EXT_TLS1_3_CERTIFICATE && chainidx != 0) {
^
cc1: all warnings being treated as errors
it seems not work with new openssl (1.1.1)
./configure --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-cc-opt='-g -O2 -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,--as-needed' --with-http_v2_module --with-http_slice_module --with-http_image_filter_module --with-http_secure_link_module --with-http_xslt_module --with-http_degradation_module --with-stream --with-stream_ssl_module --with-google_perftools_module --with-threads --with-openssl=openssl-1.1.1-tls1.3-draft-18 --with-openssl-opt=enable-tls1_3 --add-module=nginx-rtmp-module --add-module=nginx-ct-master --with-pcre=pcre-8.41
compile option
--with-stream=dynamic \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--with-stream_geoip_module=dynamic \
--with-mail=dynamic \
--with-mail_ssl_module \
It builds only ct
Using the following config:
ssl_ct on;
## RSA cert
ssl_certificate /usr/local/openssl/certs/my.crt;
ssl_certificate_key /usr/local/openssl/my.key;
ssl_ct_static_scts /usr/local/openssl/scts/rsa;
## ECDSA cert
ssl_certificate /usr/local/openssl/certs/my.ecdsa.crt;
ssl_certificate_key /usr/local/openssl/private/my.key;
ssl_ct_static_scts /usr/local/openssl/scts/ecdsa;
We see the following:
# nginx -t
nginx: [emerg] "ssl_ct_static_scts" directive is duplicate in /usr/local/etc/nginx/site.conf:27
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
# nginx -V
nginx version: nginx/1.11.8
built with OpenSSL 1.0.2j 26 Sep 2016
TLS SNI support enabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --modules-path=/usr/local/libexec/nginx --with-file-aio --with-ipv6 --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --add-module=/wrkdirs/usr/ports/www/nginx-devel/work/ngx_cache_purge-2.3 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx-devel/work/nginx-ct-f3cad5e --add-dynamic-module=/wrkdirs/usr/ports/www/nginx-devel/work/echo-nginx-module-46334b3 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx-devel/work/headers-more-nginx-module-84241e4 --add-module=/wrkdirs/usr/ports/www/nginx-devel/work/ngx-fancyindex-0.3.6 --add-module=/wrkdirs/usr/ports/www/nginx-devel/work/nginx-http-footer-filter-1.2.2 --with-http_realip_module --add-dynamic-module=/wrkdirs/usr/ports/www/nginx-devel/work/ngx_http_redis-0.3.8 --with-http_sub_module --add-module=/wrkdirs/usr/ports/www/nginx-devel/work/ngx_devel_kit-0.3.0 --with-pcre --add-module=/wrkdirs/usr/ports/www/nginx-devel/work/redis2-nginx-module-0.12 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx-devel/work/set-misc-nginx-module-f808ef4 --add-module=/wrkdirs/usr/ports/www/nginx-devel/work/srcache-nginx-module-0.30 --with-http_v2_module --with-http_ssl_module --add-dynamic-module=/wrkdirs/usr/ports/www/nginx-devel/work/ngx_brotli-ada972b
Hey,
Litte bug report , that took some time to trace down to ct,
I'm running a test server with TLSv1.3 and with the latest few post draft 19 off TLSv1.3 implementation of TLSv1.3 I get server handshake fail in all browsers tested,
However after I comment out ssl_ct in config, site works again
nginx build options
nginx version: nginx/1.11.13
built by gcc 6.3.0 20170406 (Ubuntu 6.3.0-12ubuntu2)
built with OpenSSL 1.1.1-dev xx XXX xxxx
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/usr/local/nginx/nginx.pid --with-pcre=../pcre-8.40 --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-openssl=../openssl --with-openssl-opt=enable-tls1_3 --with-http_gzip_static_module --with-http_addition_module --with-http_geoip_module --with-http_dav_module --with-http_stub_status_module --with-http_sub_module --with-http_ssl_module --with-stream --with-stream_ssl_module --with-mail=dynamic --with-http_v2_module --add-dynamic-module=/opt/nginx-ct --with-mail=dynamic
Is there away to get this working again with newest git of OpenSSL? or should one wait untill TLSv1.3 is final? (looks like draft 20 is coming out very soon)
When running a nginx setup with multiple vhosts for different domains that each have independent domains+certificates it would be nice, if SCTs for all certificates could be put in one directory with the module including only those applicable to the current connection's server certificate.
As I understood the code while skimming over it, the module currently puts all SCTs it finds into the TLS extension. It would be nice, if the module only added SCTs applicable to the current vhost's certificate (and if necessary trust chain).
Intention:
Sorry
Hey,
Thank you for your work on this module, I've come across an issue.
I got this working on a subdomain of mine on with a certificate issued for both root and a number of subdomains, it works fine on the subdomain, but not on the root domain, both share same SSL configuration in nginx only diffs are folders and proxies.
##hmm strange, when I move the commands to enable:
ssl_ct on;
ssl_ct_static_scts /etc/nginx/ssl/sct/;
to /etc/nginx/nginx.conf rather than each site in ../enabled-sites/
It works for all subdomains but not the root domain. any idea why this is?
I have two sites enabled, both share same certificate, while one only responds to apps.mydomain.com other responds to www.mydomain.com and mydomain.com
the lather of which is the only one not reporting back as working with SSL labs like the others "Certificate Transparency Yes (TLS extension)"
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.