I've started looking at implementing this.

Looks like the first thing to do is to replace SSL_CTX_add_server_custom_ext with SSL_CTX_add_custom_ext on OpenSSL >= 1.1.1. This will allow us to drop the SSL_EXT_TLS1_2_AND_BELOW_ONLY flag.

Since I've installed it, and I installed it correctly, I get these errors in my nginx 1.15.1 error logs every day, tons of them. Disabling it fixed the issue.

2018/07/06 15:57:03 [warn] 19687#19687: *287966 SSL_set_current_cert failed while SSL handshaking, client: 70.48.61.228, server: 0.0.0.0:443
2018/07/06 15:57:03 [crit] 19687#19687: *287966 SSL_do_handshake() failed (SSL: error:1422A0EA:SSL routines:custom_ext_add:callback failed) while SSL
handshaking, client: 70.48.61.228, server: 0.0.0.0:443

The error given by the BROWSER is ERR_SSL_PROTOCOL_ERROR

Verified with the Epic privacy browser using Chromium Version 62.0.3202.94. Users can possibly join the http page, switch to https but thereafter no navigation possible over https.

I know another user has reported similar behavior for Chromium 64.

I know that Chromiun 66 and 67 are working well. Chromium 65 untested as well Chromium 45-61.

Would like to get that addressed, otherwise would be forced to disable it permanently. We're losing users and potential customers.

Willing to help/assist in tests if need be,

best regards!

Using OpenSSL 1.0.2k from CentOS 7.4 with Nginx 1.13.5, ngx_mail_ssl_ct_module and ngx_stream_ssl_ct_module do not compile. ngx_ssl_ct_module and ngx_http_ssl_ct_module are built properly.

./configure --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --add-dynamic-module=nginx-ct-1.3.2

Hey,

I tried to build new nginx with nginx-ct today and have been getting these errors:

../nginx-ct/ngx_ssl_ct_module.c: In function ‘ngx_ssl_ct_merge_srv_conf’: ../nginx-ct/ngx_ssl_ct_module.c:164:19: error: ‘SSL_EXT_CLIENT_HELLO’ undeclared (first use in this function) int context = SSL_EXT_CLIENT_HELLO ^~~~~~~~~~~~~~~~~~~~ ../nginx-ct/ngx_ssl_ct_module.c:164:19: note: each undeclared identifier is reported only once for each function it appears in ../nginx-ct/ngx_ssl_ct_module.c:165:19: error: ‘SSL_EXT_TLS1_2_SERVER_HELLO’ undeclared (first use in this function) | SSL_EXT_TLS1_2_SERVER_HELLO ^~~~~~~~~~~~~~~~~~~~~~~~~~~ ../nginx-ct/ngx_ssl_ct_module.c:166:19: error: ‘SSL_EXT_TLS1_3_CERTIFICATE’ undeclared (first use in this function) | SSL_EXT_TLS1_3_CERTIFICATE; ^~~~~~~~~~~~~~~~~~~~~~~~~~ ../nginx-ct/ngx_ssl_ct_module.c:167:9: error: implicit declaration of function ‘SSL_CTX_add_custom_ext’ [-Werror=implicit-function-declaration] if (SSL_CTX_add_custom_ext(ssl_ctx, NGX_SSL_CT_EXT, context, ^~~~~~~~~~~~~~~~~~~~~~ ../nginx-ct/ngx_ssl_ct_module.c: In function ‘ngx_ssl_ct_ext_cb’: ../nginx-ct/ngx_ssl_ct_module.c:192:20: error: ‘SSL_EXT_TLS1_3_CERTIFICATE’ undeclared (first use in this function) if (context == SSL_EXT_TLS1_3_CERTIFICATE && chainidx != 0) { ^~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors objs/Makefile:1524: recipe for target 'objs/addon/nginx-ct/ngx_ssl_ct_module.o' failed make[1]: *** [objs/addon/nginx-ct/ngx_ssl_ct_module.o] Error 1

Same errror occurs on both dynamic and non dynamic module.

/opt/src/nginx-ct-master/ngx_http_ssl_ct_module.c:167:9: warning: implicit declaration of function 'SSL_CTX_add_server_custom_ext' is invalid in C99 [-Wimplicit-function-declaration]
if (SSL_CTX_add_server_custom_ext(ssl_conf->ssl.ctx, NGX_HTTP_SSL_CT_EXT,
^
1 warning generated.
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: .libs/libpcre.a(libpcre_la-pcre_string_utils.o) has no symbols
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: .libs/libpcre.a(libpcre_la-pcre_string_utils.o) has no symbols
Undefined symbols for architecture x86_64:
"_SSL_CTX_add_server_custom_ext", referenced from:
_ngx_http_ssl_ct_merge_srv_conf in ngx_http_ssl_ct_module.o
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make[1]: *** [objs/nginx] Error 1
make: *** [build] Error 2

See https://www.nginx.com/resources/wiki/extending/converting/

I using last nginx-ct with nginx 1.13.9 and openssl 1.1.1(alpha2)
when using ct we have a bug in chrome 64.0.3282.186
when you open site the all is good, but don’t close the tab and wait 5-10min and than refresh site with f5 and you will get ssl error(ERR_SSL_VERSION_INTERFERENCE on windows) and can’t open site while not close browser or restart nginx.
Also ct works with that openssl only if you write ct vars in block with default_server.

I tried to compile with Nginx 1.17.5 and get the following error when nginx-ct is compiled as dynamic module:
nginx: [emerg] dlsym() "/etc/nginx/ngx_ssl_ct_module.so", "ngx_modules" failed (/etc/nginx/ngx_ssl_ct_module.so: undefined symbol: ngx_modules) in /etc/nginx/nginx.conf:1
nginx: configuration file /etc/nginx/nginx.conf test failed

If the directory has a few valid SCTs and an empty file, nginx will serve the response but it will be malformed. Specifically, Chrome will report 0 SCTs and CFNetwork (Safari) will fail to access the website at all.

Here's the test case, the good server and bad server:

good: https://patpat.vm.prod.zone/
bad: https://brokensct.patpat.vm.prod.zone/

The bad server has exactly the same config, with one empty file added to scts directory.

Building with nginx 1.10.3 and ./configure --add-dynamic-module=../nginx-ct-1.3.2 --with-http_ssl_module

sudo nginx -t
nginx: [emerg] module "/usr/share/nginx/modules/ngx_ssl_ct_module.so" is not binary compatible in /etc/nginx/modules-enabled/load_modules.conf:1
nginx: configuration file /etc/nginx/nginx.conf test failed

$ sudo nginx -V
nginx version: nginx/1.10.3
built with OpenSSL 1.1.0f  25 May 2017
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-2tpxfc/nginx-1.10.3=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nginx-auth-pam --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nginx-dav-ext-module --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nginx-echo --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nginx-upstream-fair --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/ngx_http_substitutions_filter_module

$ openssl version
OpenSSL 1.1.0f  25 May 2017

Hello, I encountered this error on ubuntu 22.04, it ships with openssl3. Any idea?

root@b8ab3399ba7b:/etc/nginx/modules-enabled# ln -s ../modules-available/mod-http-ssl-ct.conf .
root@b8ab3399ba7b:/etc/nginx/modules-enabled# nginx -t
nginx: [emerg] dlopen() "/usr/share/nginx/modules/ngx_http_ssl_ct_module.so" failed (/usr/share/nginx/modules/ngx_http_ssl_ct_module.so: undefined symbol: ngx_ssl_ct_create_srv_conf) in /etc/nginx/modules-enabled/mod-http-ssl-ct.conf:1
nginx: configuration file /etc/nginx/nginx.conf test failed

HI,
i don't really understand how to i dynamically use this file.

1. I download the file, config nginx.conf to add the line
   `load_module "/usr/lib64/nginx/modules/nginx-ct-master/ngx_http_ssl_ct_module.c";' (This is my pathway to the file as i can't find any .so file)

Then this line occured when i try to start nginx.
Sep 02 15:59:03 las2 nginx[26339]: nginx: [emerg] dlopen() "/usr/lib64/nginx/modules/nginx-ct-master/ngx_http_ssl_ct_module.c" failed (/usr/lib64/nginx/modules/nginx-ct-master/ngx_http_ssl_ct_module.c: invalid ELF header) in /etc/nginx/nginx.conf:8

Did i do something wrong ?

Nginx version is 1.13.4
Openssl version is OpenSSL 1.1.0f 25 May 2017
Centos 7

Thanks.

Used nginx version: 1.11.10 (current mainline version)
Used nginx-ct version: current source code
Used OpenSSL version: 1.1.0e (2017-Feb-16)

cc -c -fPIC -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g  -I src/core -I src/event -I src/event/modules -I src/os/unix -I ../nginx-rtmp -I objs -I src/http -I src/http/modules -I src/http/v2 -I src/mail -I src/stream \
        -o objs/addon/nginx-ct/ngx_ssl_ct_module.o \
        ../nginx-ct/ngx_ssl_ct_module.c
../nginx-ct/ngx_ssl_ct_module.c: In function ‘ngx_ssl_ct_merge_srv_conf’:
../nginx-ct/ngx_ssl_ct_module.c:175:5: error: implicit declaration of function ‘SSL_CTX_add_server_custom_ext’ [-Werror=implicit-function-declaration]
     if (SSL_CTX_add_server_custom_ext(ssl_ctx, NGX_SSL_CT_EXT,
     ^
../nginx-ct/ngx_ssl_ct_module.c: In function ‘ngx_ssl_ct_ext_cb’:
../nginx-ct/ngx_ssl_ct_module.c:192:5: error: implicit declaration of function ‘SSL_set_current_cert’ [-Werror=implicit-function-declaration]
     int result = SSL_set_current_cert(s, SSL_CERT_SET_SERVER);
     ^
../nginx-ct/ngx_ssl_ct_module.c:192:42: error: ‘SSL_CERT_SET_SERVER’ undeclared (first use in this function)
     int result = SSL_set_current_cert(s, SSL_CERT_SET_SERVER);
                                          ^
../nginx-ct/ngx_ssl_ct_module.c:192:42: note: each undeclared identifier is reported only once for each function it appears in
cc1: all warnings being treated as errors
objs/Makefile:2077: recipe for target 'objs/addon/nginx-ct/ngx_ssl_ct_module.o' failed
make[1]: *** [objs/addon/nginx-ct/ngx_ssl_ct_module.o] Error 1

How can I solve this?

Hi,
Any variants with existing temporary solutions lead to an error:

        -o objs/addon/ngx_ct/ngx_ssl_ct_module.o \
        /…/ngx_ct/ngx_ssl_ct_module.c
/…/ngx_ct/ngx_ssl_ct_module.c: In function ‘ngx_ssl_ct_merge_srv_conf’:
/…/ngx_ct/ngx_ssl_ct_module.c:164:19: error: ‘SSL_EXT_CLIENT_HELLO’ undeclared (first use in this function)
     int context = SSL_EXT_CLIENT_HELLO
                   ^
/…/ngx_ct/ngx_ssl_ct_module.c:164:19: note: each undeclared identifier is reported only once for each function it appears in
/…/ngx_ct/ngx_ssl_ct_module.c:165:19: error: ‘SSL_EXT_TLS1_2_SERVER_HELLO’ undeclared (first use in this function)
                 | SSL_EXT_TLS1_2_SERVER_HELLO
                   ^
/…/ngx_ct/ngx_ssl_ct_module.c:166:19: error: ‘SSL_EXT_TLS1_3_CERTIFICATE’ undeclared (first use in this function)
                 | SSL_EXT_TLS1_3_CERTIFICATE;
                   ^
/…/ngx_ct/ngx_ssl_ct_module.c:167:5: warning: implicit declaration of function ‘SSL_CTX_add_custom_ext’ [-Wimplicit-function-declaration]
     if (SSL_CTX_add_custom_ext(ssl_ctx, NGX_SSL_CT_EXT, context,
     ^
/…/ngx_ct/ngx_ssl_ct_module.c: In function ‘ngx_ssl_ct_ext_cb’:
/…/ngx_ct/ngx_ssl_ct_module.c:192:20: error: ‘SSL_EXT_TLS1_3_CERTIFICATE’ undeclared (first use in this function)
     if (context == SSL_EXT_TLS1_3_CERTIFICATE && chainidx != 0) {
                    ^
make[1]: *** [objs/addon/ngx_ct/ngx_ssl_ct_module.o] Error 1

Has anyone found a solution?
Tnx!

Use libressl-2.2.4 compiler can not be completed
http://pastebin.com/4aNvupyh

cc -o objs/nginx objs/src/core/nginx.o objs/src/core/ngx_log.o objs/src/core/ngx_palloc.o objs/src/core/ngx_array.o objs/src/core/ngx_list.o objs/src/core/ngx_hash.o objs/src/core/ngx_buf.o objs/src/core/ngx_queue.o objs/src/core/ngx_output_chain.o objs/src/core/ngx_string.o objs/src/core/ngx_parse.o objs/src/core/ngx_parse_time.o objs/src/core/ngx_inet.o objs/src/core/ngx_file.o objs/src/core/ngx_crc32.o objs/src/core/ngx_murmurhash.o objs/src/core/ngx_md5.o objs/src/core/ngx_rbtree.o objs/src/core/ngx_radix_tree.o objs/src/core/ngx_slab.o objs/src/core/ngx_times.o objs/src/core/ngx_shmtx.o objs/src/core/ngx_connection.o objs/src/core/ngx_cycle.o objs/src/core/ngx_spinlock.o objs/src/core/ngx_rwlock.o objs/src/core/ngx_cpuinfo.o objs/src/core/ngx_conf_file.o objs/src/core/ngx_resolver.o objs/src/core/ngx_open_file_cache.o objs/src/core/ngx_crypt.o objs/src/core/ngx_proxy_protocol.o objs/src/core/ngx_syslog.o objs/src/event/ngx_event.o objs/src/event/ngx_event_timer.o objs/src/event/ngx_event_posted.o objs/src/event/ngx_event_accept.o objs/src/event/ngx_event_connect.o objs/src/event/ngx_event_pipe.o objs/src/os/unix/ngx_time.o objs/src/os/unix/ngx_errno.o objs/src/os/unix/ngx_alloc.o objs/src/os/unix/ngx_files.o objs/src/os/unix/ngx_socket.o objs/src/os/unix/ngx_recv.o objs/src/os/unix/ngx_readv_chain.o objs/src/os/unix/ngx_udp_recv.o objs/src/os/unix/ngx_send.o objs/src/os/unix/ngx_writev_chain.o objs/src/os/unix/ngx_channel.o objs/src/os/unix/ngx_shmem.o objs/src/os/unix/ngx_process.o objs/src/os/unix/ngx_daemon.o objs/src/os/unix/ngx_setaffinity.o objs/src/os/unix/ngx_setproctitle.o objs/src/os/unix/ngx_posix_init.o objs/src/os/unix/ngx_user.o objs/src/os/unix/ngx_process_cycle.o objs/src/os/unix/ngx_freebsd_init.o objs/src/os/unix/ngx_freebsd_sendfile_chain.o objs/src/event/modules/ngx_kqueue_module.o objs/src/event/ngx_event_openssl.o objs/src/event/ngx_event_openssl_stapling.o objs/src/core/ngx_regex.o objs/src/http/ngx_http.o objs/src/http/ngx_http_core_module.o objs/src/http/ngx_http_special_response.o objs/src/http/ngx_http_request.o objs/src/http/ngx_http_parse.o objs/src/http/ngx_http_header_filter_module.o objs/src/http/ngx_http_write_filter_module.o objs/src/http/ngx_http_copy_filter_module.o objs/src/http/modules/ngx_http_log_module.o objs/src/http/ngx_http_request_body.o objs/src/http/ngx_http_variables.o objs/src/http/ngx_http_script.o objs/src/http/ngx_http_upstream.o objs/src/http/ngx_http_upstream_round_robin.o objs/src/http/modules/ngx_http_static_module.o objs/src/http/modules/ngx_http_index_module.o objs/src/http/modules/ngx_http_chunked_filter_module.o objs/src/http/modules/ngx_http_range_filter_module.o objs/src/http/modules/ngx_http_headers_filter_module.o objs/src/http/modules/ngx_http_not_modified_filter_module.o objs/src/http/ngx_http_file_cache.o objs/src/http/modules/ngx_http_gzip_filter_module.o objs/src/http/ngx_http_postpone_filter_module.o objs/src/http/modules/ngx_http_ssi_filter_module.o objs/src/http/modules/ngx_http_charset_filter_module.o objs/src/http/modules/ngx_http_userid_filter_module.o objs/src/http/v2/ngx_http_v2.o objs/src/http/v2/ngx_http_v2_table.o objs/src/http/v2/ngx_http_v2_huff_decode.o objs/src/http/v2/ngx_http_v2_huff_encode.o objs/src/http/v2/ngx_http_v2_module.o objs/src/http/v2/ngx_http_v2_filter_module.o objs/src/http/modules/ngx_http_autoindex_module.o objs/src/http/modules/ngx_http_auth_basic_module.o objs/src/http/modules/ngx_http_access_module.o objs/src/http/modules/ngx_http_limit_conn_module.o objs/src/http/modules/ngx_http_limit_req_module.o objs/src/http/modules/ngx_http_geo_module.o objs/src/http/modules/ngx_http_map_module.o objs/src/http/modules/ngx_http_split_clients_module.o objs/src/http/modules/ngx_http_referer_module.o objs/src/http/modules/ngx_http_rewrite_module.o objs/src/http/modules/ngx_http_ssl_module.o objs/src/http/modules/ngx_http_proxy_module.o objs/src/http/modules/ngx_http_fastcgi_module.o objs/src/http/modules/ngx_http_uwsgi_module.o objs/src/http/modules/ngx_http_scgi_module.o objs/src/http/modules/ngx_http_memcached_module.o objs/src/http/modules/ngx_http_empty_gif_module.o objs/src/http/modules/ngx_http_browser_module.o objs/src/http/modules/ngx_http_upstream_hash_module.o objs/src/http/modules/ngx_http_upstream_ip_hash_module.o objs/src/http/modules/ngx_http_upstream_least_conn_module.o objs/src/http/modules/ngx_http_upstream_keepalive_module.o objs/src/http/modules/ngx_http_upstream_zone_module.o objs/src/http/modules/ngx_http_stub_status_module.o objs/addon/nginx-ct/ngx_http_ssl_ct_module.o objs/addon/src/ngx_http_headers_more_filter_module.o objs/addon/src/ngx_http_headers_more_headers_out.o objs/addon/src/ngx_http_headers_more_headers_in.o objs/addon/src/ngx_http_headers_more_util.o objs/ngx_modules.o -L /usr/local/lib -lcrypt -lpcre -lssl -lcrypto -lz
objs/addon/nginx-ct/ngx_http_ssl_ct_module.o: In function ngx_http_ssl_ct_merge_srv_conf': /home/ghw/nginx-ct/ngx_http_ssl_ct_module.c:(.text+0x480): undefined reference toSSL_CTX_add_server_custom_ext'
cc: error: linker command failed with exit code 1 (use -v to see invocation)
*** Error code 1

Stop.

make[3]: stopped in /usr/ports/www/nginx-devel/work/nginx-1.9.6

Is ngx_ssl_ct_module required to be loaded before ngx_mail_ssl_ct_module? I intend to use only ngx_mail_ssl_ct_module and skip ngx_http_ssl_ct_module.

nginx-ct supports several versions of nginx, OpenSSL and BoringSSL. Testing by hand is becoming rather time-consuming.

It'd be good to have a set of automated tests which tested all the combinations of nginx version, SSL library, dynamic/static module, etc.

system OS:Ubuntu 16.04 64bit

objs/addon/nginx-ct-1.3.2/ngx_ssl_ct_module.o: In function `ngx_ssl_ct_ext_cb':
ngx_ssl_ct_module.c:(.text+0x68): multiple definition of `ngx_ssl_ct_ext_cb'
objs/addon/nginx-ct-1.3.2/ngx_ssl_ct_module.o:ngx_ssl_ct_module.c:(.text+0x68): first defined here
objs/addon/nginx-ct-1.3.2/ngx_ssl_ct_module.o: In function `ngx_ssl_ct_create_srv_conf':
ngx_ssl_ct_module.c:(.text+0x11c): multiple definition of `ngx_ssl_ct_create_srv_conf'
objs/addon/nginx-ct-1.3.2/ngx_ssl_ct_module.o:ngx_ssl_ct_module.c:(.text+0x11c): first defined here
objs/addon/nginx-ct-1.3.2/ngx_ssl_ct_module.o: In function `ngx_ssl_ct_read_static_scts':
ngx_ssl_ct_module.c:(.text+0x146): multiple definition of `ngx_ssl_ct_read_static_scts'
objs/addon/nginx-ct-1.3.2/ngx_ssl_ct_module.o:ngx_ssl_ct_module.c:(.text+0x146): first defined here
objs/addon/nginx-ct-1.3.2/ngx_ssl_ct_module.o: In function `ngx_ssl_ct_merge_srv_conf':
ngx_ssl_ct_module.c:(.text+0x637): multiple definition of `ngx_ssl_ct_merge_srv_conf'
objs/addon/nginx-ct-1.3.2/ngx_ssl_ct_module.o:ngx_ssl_ct_module.c:(.text+0x637): first defined here
objs/addon/nginx-ct-1.3.2/ngx_ssl_ct_module.o:(.data+0x0): multiple definition of `ngx_ssl_ct_module'
objs/addon/nginx-ct-1.3.2/ngx_ssl_ct_module.o:(.data+0x0): first defined here
objs/addon/nginx-ct-1.3.2/ngx_http_ssl_ct_module.o:(.data+0x0): multiple definition of `ngx_http_ssl_ct_module'
objs/addon/nginx-ct-1.3.2/ngx_http_ssl_ct_module.o:(.data+0x0): first defined here
collect2: error: ld returned 1 exit status
objs/Makefile:318: recipe for target 'objs/nginx' failed
make[1]: *** [objs/nginx] Error 1
make[1]: Leaving directory '/root/MistackV2/oneinstack/src/nginx-1.10.3'
Makefile:8: recipe for target 'build' failed
make: *** [build] Error 2

 ./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module --with-http_mp4_module --with-openssl=../openssl-1.0.2k --with-pcre-jit --with-ld-opt='-ljemalloc' --add-module=../../../ext-src/nginx-ct-1.3.2  --add-module=../../../ext-src/nginx-ct-1.3.2  --add-module=../../../ext-src/ngx_brotli-bfd2885  --add-module=../../../ext-src/ngx_cache_purge-2.3  --add-module=../../../ext-src/ngx_pagespeed-1.12.34.2-beta

• using nginx-ct release version 1.3.0
• using OpenSSL version 1.0.2h (on Debian jessie 8.5)
• using nginx mainline version 1.11.3 and stable version 1.10.1 - but works with previous stable version 1.10.0
• nginx configured with add-module for nginx-ct:

./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_v2_module --with-ipv6 --add-module=../nginx-ct-1.3.0

Occurred error on make:

objs/ngx_modules.o \
-ldl -lpthread -lpthread -lcrypt -lpcre -lssl -lcrypto -ldl -lz \
-Wl,-E
objs/addon/nginx-ct-1.3.0/ngx_ssl_ct_module.o: In function `ngx_ssl_ct_ext_cb':
~/nginx-current/nginx-1.11.3/../nginx-ct-1.3.0/ngx_ssl_ct_module.c:197: undefined reference to `ssl_get_server_send_pkey'
collect2: error: ld returned 1 exit status
objs/Makefile:354: recipe for target 'objs/nginx' failed
make[1]: *** [objs/nginx] Error 1
make[1]: Leaving directory '~/nginx-current/nginx-1.11.3'
Makefile:8: recipe for target 'build' failed
make: *** [build] Error 2

It gives this output:

make
make -f objs/Makefile
make[1]: Entering directory '/home/jonny/server-files/nginx/nginx-1.13.0'
cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -Wno-deprecated-declarations -Wno-deprecated-declarations  -I src/core -I src/event -I src/event/modules -I src/os/unix -I /home/jonny/server-files/nginx/nginx-rtmp-module -I /home/jonny/server-files/pcre/pcre-8.40 -I /home/jonny/server-files/openssl/openssl-1.1.1-tls1.3-draft-18/.openssl/include -I /home/jonny/server-files/zlib/zlib-1.2.11 -I objs -I src/http -I src/http/modules -I src/http/v2 -I /home/jonny/server-files/nginx/ngx_brotli/deps/brotli/include \
	-o objs/addon/nginx-ct/ngx_ssl_ct_module.o \
	/home/jonny/server-files/nginx/nginx-ct/ngx_ssl_ct_module.c
/home/jonny/server-files/nginx/nginx-ct/ngx_ssl_ct_module.c: In function ‘ngx_ssl_ct_merge_srv_conf’:
/home/jonny/server-files/nginx/nginx-ct/ngx_ssl_ct_module.c:164:19: error: ‘SSL_EXT_CLIENT_HELLO’ undeclared (first use in this function)
     int context = SSL_EXT_CLIENT_HELLO
                   ^
/home/jonny/server-files/nginx/nginx-ct/ngx_ssl_ct_module.c:164:19: note: each undeclared identifier is reported only once for each function it appears in
/home/jonny/server-files/nginx/nginx-ct/ngx_ssl_ct_module.c:165:19: error: ‘SSL_EXT_TLS1_2_SERVER_HELLO’ undeclared (first use in this function)
                 | SSL_EXT_TLS1_2_SERVER_HELLO
                   ^
/home/jonny/server-files/nginx/nginx-ct/ngx_ssl_ct_module.c:166:19: error: ‘SSL_EXT_TLS1_3_CERTIFICATE’ undeclared (first use in this function)
                 | SSL_EXT_TLS1_3_CERTIFICATE;
                   ^
/home/jonny/server-files/nginx/nginx-ct/ngx_ssl_ct_module.c:167:5: error: implicit declaration of function ‘SSL_CTX_add_custom_ext’ [-Werror=implicit-function-declaration]
     if (SSL_CTX_add_custom_ext(ssl_ctx, NGX_SSL_CT_EXT, context,
     ^
/home/jonny/server-files/nginx/nginx-ct/ngx_ssl_ct_module.c: In function ‘ngx_ssl_ct_ext_cb’:
/home/jonny/server-files/nginx/nginx-ct/ngx_ssl_ct_module.c:192:20: error: ‘SSL_EXT_TLS1_3_CERTIFICATE’ undeclared (first use in this function)
     if (context == SSL_EXT_TLS1_3_CERTIFICATE && chainidx != 0) {
                    ^
cc1: all warnings being treated as errors
objs/Makefile:1811: recipe for target 'objs/addon/nginx-ct/ngx_ssl_ct_module.o' failed
make[1]: *** [objs/addon/nginx-ct/ngx_ssl_ct_module.o] Error 1
make[1]: Leaving directory '/home/jonny/server-files/nginx/nginx-1.13.0'
Makefile:8: recipe for target 'build' failed
make: *** [build] Error 2

Hi,

I am currently using this nginx

• nginx version: nginx/1.10.3 (Ubuntu)

And recompiled it with the "--add-module=/path/to/nginx-ct"

Now I'm configuring my nginx.conf file. I know that can be a silly question but I am not experienced with nginx enviroment and compilation. I am trying to put this on my nginx.conf file:

ssl_ct on;
ssl_ct_static_scts /path/to/sct/dir;

questions:

• where is the SCT directory
• what is the SCT files.
• I already have "ssl on" directive, should I replace it for the "ssl_ct on" ?

Sorry for the very dummy questions but any help will be appreciated.

NGINX added variables support in the ssl_certificate and ssl_certificate_key directives a few releases ago. Would be awesome if nginx-ct supported that too!

You should consider signing git commits & releases.

• onionshare#221 (comment)
• It is also displayed on GitHub: https://github.com/blog/2144-gpg-signature-verification
• Here is GitHub's help for this: https://help.github.com/articles/generating-a-gpg-key/
• And here is how you can sign releases: https://wiki.debian.org/Creating%20signed%20GitHub%20releases

nginx: [emerg] dlopen() "/usr/lib64/nginx/modules/ngx_ssl_ct_module.so" failed (/usr/lib64/nginx/modules/ngx_ssl_ct_module.so: undefined symbol: SSL_CTX_add_custom_ext) in /etc/nginx/nginx.conf:11
nginx: configuration file /etc/nginx/nginx.conf test failed

How hard would it be to adapt the current module to also cooperate with ngx_stream_ssl_module or ngx_mail_ssl_module? Would it lead to too much code duplication?

Background: I have a multidomain cert from Letsencrypt which is used for all vhosts and is defined in http context, along with the path to scts. One vhost requires a client certificate, which is defined in the server context.

Result: all vhosts work as expected except for the one with a client certificate defined. That one gives an http 421 (Misdirected Request) response.

When the nginx-ct module is not loaded (and no scts are defined), that vhost works as expected.

Hello,

I'd like to use your plugin. Unfortunately I'm getting the following error when starting nginx:

nginx: [emerg] readdir() "/usr/local/nginx/conf/ssl/scts" failed (22: Invalid argument)

I'm using nginx-1.9.1 and openssl-1.0.2a on ubuntu.

Any idea what could be causing this?

edit: I also tested this with nginx-1.9.0 (just like the guide here). Didn't help :(

Got error about "&ngx_stream_ssl_ct_merge_srv_conf" that it is not correct reference

static ngx_stream_module_t ngx_stream_ssl_ct_module_ctx = {
  NULL,                             /* postconfiguration */

  NULL,                             /* create main configuration */
  NULL,                             /* init main configuration */

  &ngx_ssl_ct_create_srv_conf,      /* create server configuration */
  &ngx_stream_ssl_ct_merge_srv_conf /* merge server configuration */
};

nginx 1.13.4 + openssl 1.1.1 draft 18 (for tls 1.3) + pcre 8.41 + nginx rtmp module

nginx-ct-master/ngx_ssl_ct_module.c: In function ‘ngx_ssl_ct_merge_srv_conf’:
nginx-ct-master/ngx_ssl_ct_module.c:164:19: error: ‘SSL_EXT_CLIENT_HELLO’ undeclared (first use in this function)
     int context = SSL_EXT_CLIENT_HELLO
                   ^
nginx-ct-master/ngx_ssl_ct_module.c:164:19: note: each undeclared identifier is reported only once for each function it appears in
nginx-ct-master/ngx_ssl_ct_module.c:165:19: error: ‘SSL_EXT_TLS1_2_SERVER_HELLO’ undeclared (first use in this function)
                 | SSL_EXT_TLS1_2_SERVER_HELLO
                   ^
nginx-ct-master/ngx_ssl_ct_module.c:166:19: error: ‘SSL_EXT_TLS1_3_CERTIFICATE’ undeclared (first use in this function)
                 | SSL_EXT_TLS1_3_CERTIFICATE;
                   ^
nginx-ct-master/ngx_ssl_ct_module.c:167:9: error: implicit declaration of function ‘SSL_CTX_add_custom_ext’ [-Werror=implicit-function-declaration]
     if (SSL_CTX_add_custom_ext(ssl_ctx, NGX_SSL_CT_EXT, context,
         ^
nginx-ct-master/ngx_ssl_ct_module.c: In function ‘ngx_ssl_ct_ext_cb’:
nginx-ct-master/ngx_ssl_ct_module.c:192:20: error: ‘SSL_EXT_TLS1_3_CERTIFICATE’ undeclared (first use in this function)
     if (context == SSL_EXT_TLS1_3_CERTIFICATE && chainidx != 0) {
                    ^
cc1: all warnings being treated as errors

it seems not work with new openssl (1.1.1)

./configure --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-cc-opt='-g -O2 -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,--as-needed' --with-http_v2_module --with-http_slice_module --with-http_image_filter_module --with-http_secure_link_module --with-http_xslt_module --with-http_degradation_module --with-stream --with-stream_ssl_module --with-google_perftools_module --with-threads --with-openssl=openssl-1.1.1-tls1.3-draft-18 --with-openssl-opt=enable-tls1_3 --add-module=nginx-rtmp-module --add-module=nginx-ct-master --with-pcre=pcre-8.41

compile option

	--with-stream=dynamic \
	--with-stream_ssl_module \
	--with-stream_ssl_preread_module \
	--with-stream_geoip_module=dynamic \
	--with-mail=dynamic \
	--with-mail_ssl_module \

It builds only ct

Using the following config:

    ssl_ct on;

    ## RSA cert
    ssl_certificate /usr/local/openssl/certs/my.crt;
    ssl_certificate_key /usr/local/openssl/my.key;
    ssl_ct_static_scts /usr/local/openssl/scts/rsa;

    ## ECDSA cert
    ssl_certificate /usr/local/openssl/certs/my.ecdsa.crt;
    ssl_certificate_key /usr/local/openssl/private/my.key;
    ssl_ct_static_scts /usr/local/openssl/scts/ecdsa;

We see the following:

# nginx -t
nginx: [emerg] "ssl_ct_static_scts" directive is duplicate in /usr/local/etc/nginx/site.conf:27
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed

# nginx -V
nginx version: nginx/1.11.8
built with OpenSSL 1.0.2j 26 Sep 2016
TLS SNI support enabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --modules-path=/usr/local/libexec/nginx --with-file-aio --with-ipv6 --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --add-module=/wrkdirs/usr/ports/www/nginx-devel/work/ngx_cache_purge-2.3 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx-devel/work/nginx-ct-f3cad5e --add-dynamic-module=/wrkdirs/usr/ports/www/nginx-devel/work/echo-nginx-module-46334b3 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx-devel/work/headers-more-nginx-module-84241e4 --add-module=/wrkdirs/usr/ports/www/nginx-devel/work/ngx-fancyindex-0.3.6 --add-module=/wrkdirs/usr/ports/www/nginx-devel/work/nginx-http-footer-filter-1.2.2 --with-http_realip_module --add-dynamic-module=/wrkdirs/usr/ports/www/nginx-devel/work/ngx_http_redis-0.3.8 --with-http_sub_module --add-module=/wrkdirs/usr/ports/www/nginx-devel/work/ngx_devel_kit-0.3.0 --with-pcre --add-module=/wrkdirs/usr/ports/www/nginx-devel/work/redis2-nginx-module-0.12 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx-devel/work/set-misc-nginx-module-f808ef4 --add-module=/wrkdirs/usr/ports/www/nginx-devel/work/srcache-nginx-module-0.30 --with-http_v2_module --with-http_ssl_module --add-dynamic-module=/wrkdirs/usr/ports/www/nginx-devel/work/ngx_brotli-ada972b

Hey,

Litte bug report , that took some time to trace down to ct,

I'm running a test server with TLSv1.3 and with the latest few post draft 19 off TLSv1.3 implementation of TLSv1.3 I get server handshake fail in all browsers tested,

However after I comment out ssl_ct in config, site works again

• ssl_ct on;
• ssl_ct_static_scts /etc/nginx/ssl/sct;

nginx build options

nginx version: nginx/1.11.13
built by gcc 6.3.0 20170406 (Ubuntu 6.3.0-12ubuntu2)
built with OpenSSL 1.1.1-dev xx XXX xxxx
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/usr/local/nginx/nginx.pid --with-pcre=../pcre-8.40 --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-openssl=../openssl --with-openssl-opt=enable-tls1_3 --with-http_gzip_static_module --with-http_addition_module --with-http_geoip_module --with-http_dav_module --with-http_stub_status_module --with-http_sub_module --with-http_ssl_module --with-stream --with-stream_ssl_module --with-mail=dynamic --with-http_v2_module --add-dynamic-module=/opt/nginx-ct --with-mail=dynamic

Is there away to get this working again with newest git of OpenSSL? or should one wait untill TLSv1.3 is final? (looks like draft 20 is coming out very soon)

When running a nginx setup with multiple vhosts for different domains that each have independent domains+certificates it would be nice, if SCTs for all certificates could be put in one directory with the module including only those applicable to the current connection's server certificate.

As I understood the code while skimming over it, the module currently puts all SCTs it finds into the TLS extension. It would be nice, if the module only added SCTs applicable to the current vhost's certificate (and if necessary trust chain).

Intention:

• Avoid configuration overhead by specifying SCT behaviour globally
• Centralize storage of SCTs for all certificates in one directory (e.g. all SCTs for all certs go to /etc/ssl/sct via cron or similar means).

Sorry

Hey,
Thank you for your work on this module, I've come across an issue.

I got this working on a subdomain of mine on with a certificate issued for both root and a number of subdomains, it works fine on the subdomain, but not on the root domain, both share same SSL configuration in nginx only diffs are folders and proxies.

##hmm strange, when I move the commands to enable:
ssl_ct on;
ssl_ct_static_scts /etc/nginx/ssl/sct/;

to /etc/nginx/nginx.conf rather than each site in ../enabled-sites/
It works for all subdomains but not the root domain. any idea why this is?

I have two sites enabled, both share same certificate, while one only responds to apps.mydomain.com other responds to www.mydomain.com and mydomain.com

the lather of which is the only one not reporting back as working with SSL labs like the others "Certificate Transparency Yes (TLS extension)"