Ubuntu – Fixing nginx 1.4.6 dependency on old openssl version (libssl0.9.8)

12.04nginxopensslssltls

I'm trying to enable TLSv1.1 & TLSv1.2 on my Ubuntu 12.04 EC2 instance w/ nginx 1.4.6, but this version of nginx is dependent upon libssl0.9.8, even though the newest version of OpenSSL is installed (1.0.1).

How can I resolve this so I can enable TLSv1.1 & TLSv1.2?

Best Answer

How can I resolve this so I can enable TLSv1.1 & TLSv1.2?

It sounds like there are two issues in play. First is nginx related; and second is openssl related. There could be a third, and that's Amazon.

nginx

nginx can be built with OpenSSL. When it is, its built with the version of OpenSSL provided by the platform. Ubuntu 12.04 provides OpenSSL 1.0.1, and not 0.9.8. So you'll need to confirm that you are actually using 0.9.8 in nginx.

To verify the version of OpenSSL used by nginx, issue ldd nginx. For example here's the openssl executable's dependency (I don't use nginx, so I don't have it installed. You should swap in nginx for openssl):

$ which openssl
/usr/bin/openssl
$ ldd /usr/bin/openssl 
    linux-vdso.so.1 =>  (0x00007ffff69ff000)
    libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f136424f000)
    libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007f1363e58000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f1363c53000)
    libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f1363a3c000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f13636b1000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f13644c6000)

In the above, libcrypto and libssl are OpenSSL.

From the above, you can check the packages like at libssl.so.1.0.0. Below, the 1.0.1 is OpenSSL's version

* Package: libssl1.0.0 (1.0.1-4ubuntu5.11)
* ...

OpenSSL

The lack of TLS 1.1 and 1.2 is probably due to Ubuntu's security team disabling the protocol versions in an effort to promote interoperability. See Ubuntu 12.04 LTS: OpenSSL downlevel version and does not support TLS 1.2.

Amazon

Amazon may be providing images that are further modified. So the discussions about nginx and openssl might not apply or be wrong, depending on what Amazon did (or did not) do.

If you don't like the nginx as provided by the platform (either Ubuntu or Amazon), then you can try nginx's PPA. See nginx - Ubuntu PPA.

You can also build it from sources. Be sure to install OepnSSL's developer package (libssl-dev). You'll need two or three additional packages, IIRC.

Sorry to bring in the bug report. That will probably cause this question to be closed. Please accept my apologies.