Posted innginx tls

Nginx enabling TLS SNI support on centos 5

No CommentsPosted innginx, tls

By default centos 5.x has openssl-0.9.8e which is not have tls extention for  sni support. this is workaround on how to get nginx 0.8.48 rpm with TLS SNI enabled

Step 1:

download openssl source, example  openssl-0.9.8l. extract it in /usr/src

$ cd /usr/src
$ wget http://www.openssl.org/source/openssl-0.9.8l.tar.gz
$ tar xvzf openssl-0.9.8l.tar.gz

Step 2:

Download nginx rpm source, example nginx-0.8.49-1.el5.src.rpm

$ wget http://centos.alt.ru/pub/nginx/0.8/RHEL/SRPMS/nginx-0.8.49-1.el5.src.rpm
$ rpm -Uvh nginx-0.8.49-1.el5.src.rpm

Move to directory where the spec file is in and edit nginx.spec

$ cd /path/to/rpm/SPECS/
$ vi nginx.spec


Find %build section and modify ./configure option

./configure 
    --user=%{nginx_user} 
    --group=%{nginx_group} 
    --prefix=%{nginx_datadir} 
    --sbin-path=%{_sbindir}/%{name} 
    --conf-path=%{nginx_confdir}/%{name}.conf 
    --error-log-path=%{nginx_logdir}/error.log 
    --http-log-path=%{nginx_logdir}/access.log 
    --http-client-body-temp-path=%{nginx_home_tmp}/client_body 
    --http-proxy-temp-path=%{nginx_home_tmp}/proxy 
    --http-fastcgi-temp-path=%{nginx_home_tmp}/fastcgi 
    --pid-path=%{_localstatedir}/run/%{name}.pid 
    --lock-path=%{_localstatedir}/lock/subsys/%{name} 
    --with-openssl="/usr/src/openssl-0.9.8l/" 
    --with-openssl-opt="enable-tlsext" 
    --with-http_secure_link_module 
    --with-http_random_index_module 
    --with-http_ssl_module 
    .......................
    ......................

As you can see i’ve added

    --with-openssl="/usr/src/openssl-0.9.8l/" 
    --with-openssl-opt="enable-tlsext"

in configure section

Also find

make %{?_smp_mflags}

Change it to

make

The %{?_smp_mflags} causing compiling error

Step 3:

Compile nginx rpm source

$ rpmbuild -ba nginx.spec

verify the binary

$ nginx -V
nginx version: nginx/0.8.49
built by gcc 4.1.2 20070626 (Red Hat 4.1.2-14)
TLS SNI support enabled
configure arguments: --user=nginx --group=nginx --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --pid-path=/var/run/nginx.pid --lock-path=/var/lock/subsys/nginx --with-openssl=/usr/src/redhat/BUILD/openssl-0.9.8l/ --with-openssl-opt=enable-tlsext --with-http_secure_link_module --with-http_random_index_module --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_perl_module --with-mail --with-mail_ssl_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --with-ipv6 --add-module=/usr/src/redhat/BUILD/nginx-0.8.49/nginx-upstream-fair --add-module=/usr/src/redhat/BUILD/nginx-0.8.49/nginx-upload-progress-module --add-module=/usr/src/redhat/BUILD/nginx-0.8.49/mod_zip-1.1.5 --add-module=/usr/src/redhat/BUILD/nginx-0.8.49/nginx_upload_module-2.0.12 --add-module=/usr/src/redhat/BUILD/nginx-0.8.49/nginx_mod_h264_streaming-2.2.7

# strings `which nginx` | grep SSL_get_servername
SSL_get_servername
SSL_get_servername_type

tha’s it 🙂

Tags:

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *