nginx 1.15.8 loses TLS 1.3 after gcc 8 installation

Question

I run a centos 7.6 server with nginx. Centos repos do not have latest nginx, so I compiled manually using instructions from here.

This left me a nginx binary:

nginx version: nginx/1.15.8
built by gcc 7.2.0 
built with OpenSSL 1.1.1a  20 Nov 2018
TLS SNI support enabled
configure arguments: --sbin-path=/usr/local/sbin --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --with-pcre=/n/pcre-8.42 --with-openssl=/n/openssl-1.1.1a --with-zlib=/n/zlib-1.2.11 --with-file-aio --with-http_ssl_module --with-http_v2_module --with-stream --with-stream_ssl_module --with-threads

which worked with TLS 1.3.

However I installed gcc 8.2 as well from https://cbs.centos.org/. It installed correctly, and I tried to rebuild nginx with the new compiler. Still the same output, still the same binary, but no TLS 1.3. Chrome says it is a TLS 1.2 connection, SSLlabs says no tls 1.3 support.

I tried recompiling with gcc 7.2.0, still same result.

What could be wrong?

Thanks.

Remember that nginx publish their own CentOS repos, and you can use those. — Michael Hampton, Jan 02 '19 at 14:12
@MichaelHampton yes but not compiled against latest OpenSSL. — Michael Chourdakis, Jan 02 '19 at 14:15
Are you sure that there isn't another version of nginx that is running on the system? — Tero Kilkanen, Jan 02 '19 at 22:44

score 0 · Answer 1 · answered Jan 02 '19 at 13:49

0

This should not depend on gcc but on ssl library.

I can suggest the following:

Make sure --with-openssl=/n/openssl-1.1.1a still points to correct openssl.
Check which ssl library is nginx linked with: ldd $(which nginx) should point to your version of openssl rather than system-wide one.
You may need to recompile openssl and nginx to make sure everything is dandy.

answered Jan 02 '19 at 13:49

rvs

4,027
1
25
30

[root@server ~]# ldd $(which nginx) linux-vdso.so.1 => (0x00007ffec67a4000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f1db4c0d000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f1db49f1000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f1db47ba000) libc.so.6 => /lib64/libc.so.6 (0x00007f1db43ed000) /lib64/ld-linux-x86-64.so.2 (0x00007f1db4e11000) libfreebl3.so => /lib64/libfreebl3.so (0x00007f1db41ea000) It seems to have been built statically with openssl. – Michael Chourdakis Jan 02 '19 at 14:16
Interesting. What does `nginx -V` says? – rvs Jan 02 '19 at 14:31
built with OpenSSL 1.1.1a 20 Nov 2018 – Michael Chourdakis Jan 02 '19 at 14:56

nginx 1.15.8 loses TLS 1.3 after gcc 8 installation

1 Answers1