I'm trying to enable TLSv1.1 & TLSv1.2 on my Ubuntu 12.04 EC2 instance w/ nginx 1.4.6, but this version of nginx is dependent upon libssl0.9.8
, even though the newest version of OpenSSL is installed (1.0.1).
How can I resolve this so I can enable TLSv1.1 & TLSv1.2?
Best Answer
It sounds like there are two issues in play. First is
nginx
related; and second isopenssl
related. There could be a third, and that's Amazon.nginx
nginx
can be built with OpenSSL. When it is, its built with the version of OpenSSL provided by the platform. Ubuntu 12.04 provides OpenSSL 1.0.1, and not 0.9.8. So you'll need to confirm that you are actually using 0.9.8 innginx
.To verify the version of OpenSSL used by
nginx
, issueldd nginx
. For example here's theopenssl
executable's dependency (I don't usenginx
, so I don't have it installed. You should swap innginx
foropenssl
):In the above,
libcrypto
andlibssl
are OpenSSL.From the above, you can check the packages like at libssl.so.1.0.0. Below, the 1.0.1 is OpenSSL's version
OpenSSL
The lack of TLS 1.1 and 1.2 is probably due to Ubuntu's security team disabling the protocol versions in an effort to promote interoperability. See Ubuntu 12.04 LTS: OpenSSL downlevel version and does not support TLS 1.2.
Amazon
Amazon may be providing images that are further modified. So the discussions about
nginx
andopenssl
might not apply or be wrong, depending on what Amazon did (or did not) do.If you don't like the
nginx
as provided by the platform (either Ubuntu or Amazon), then you can trynginx
's PPA. See nginx - Ubuntu PPA.You can also build it from sources. Be sure to install OepnSSL's developer package (
libssl-dev
). You'll need two or three additional packages, IIRC.Sorry to bring in the bug report. That will probably cause this question to be closed. Please accept my apologies.