Incompatible with AWS-LC #67
Description
Bug Overview
Since version 1.29.2, it's possible to compile nginx with AWS-LC instead of OpenSSL. But when doing so, the nginx-acme module becomes incompatible and will not pass the nginx -t tests.
Module is dynamically loaded:
nginx: [emerg] dlopen() "/usr/local/nginx/modules/ngx_http_acme_module.so" failed (/usr/local/nginx/modules/ngx_http_acme_module.so: undefined symbol: EVP_KDF_fetch) in /etc/nginx/nginx.conf:14
nginx: configuration file /etc/nginx/nginx.conf test failed
Module is statically compiled: long_output.txt
The second output is the one from the command without
CPPFLAGS=-DOPENSSL_IS_AWSLC.
Expected Behavior
To pass the nginx -t tests and to work normally.
Steps to Reproduce the Bug
To compile nginx passing CPPFLAGS=-DOPENSSL_IS_AWSLC to the make command, after building and installing AWS-LC.
git clone -q --depth 1 https://github.com/aws/aws-lc openssl
cd openssl && mkdir build && cd build
cmake \
-GNinja \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_INSTALL_LIBDIR=lib \
-DCMAKE_INSTALL_PREFIX=../.openssl \
..
cmake --build .
cmake --install .
./configure \
--with-cc-opt="-I$BPATH/openssl/.openssl/install" \
--with-ld-opt="-L$BPATH/openssl/.openssl/lib" \
--user=www-data \
--group=www-data \
--with-debug \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--lock-path=/var/lock/nginx.lock \
--pid-path=/run/nginx/nginx.pid \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
--with-pcre-jit \
--with-threads \
--with-http_realip_module \
--with-http_gzip_static_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-http_addition_module \
--with-http_sub_module \
--with-http_ssl_module \
--with-http_auth_request_module \
--with-http_v2_module \
--with-http_v3_module \
--with-http_gunzip_module \
--with-stream_ssl_preread_module \
--with-stream_ssl_module \
--with-poll_module \
--with-stream \
--with-file-aio \
--with-http_image_filter_module \
--with-http_xslt_module \
--without-mail_pop3_module \
--without-mail_smtp_module \
--without-mail_imap_module \
--without-http_memcached_module \
--without-select_module \
--with-pcre=$BPATH/pcre \
--with-zlib=$BPATH/zlib \
--with-openssl=$BPATH/openssl \
--with-openssl-opt="enable-ktls no-legacy no-ssl \
no-tls1 no-tls1_1 threads -ljemalloc \
no-shared -lm enable-tls1_3 no-deprecated no-dh" \
--add-dynamic-module=$BPATH/headers-more \
--add-dynamic-module=$BPATH/security-headers \
--add-dynamic-module=$BPATH/fancyindex \
--add-dynamic-module=$BPATH/zstd \
--add-module=$BPATH/acme \
--add-dynamic-module=$BPATH/brotli
echo -e "${GREEN_START}... | Building nginx${GREEN_END}"
mkdir -p $BPATH/openssl/.openssl/include/openssl/
touch $BPATH/openssl/.openssl/include/openssl/ssl.h
make -j $(nproc) modules
echo -e "${GREEN_START}... | Installing nginx${GREEN_END}"
make CPPFLAGS=-DOPENSSL_IS_AWSLC -j $(nproc) install
Environment Details
- Target deployment platform: local cluster
- Target OS: Debian 13
- Version of this project or specific commit:
726b9e9
Additional Context
I didn't try to compile with BoringSSL, LibreSSL or another SSL library.