Skip to content

nginx 1.28.1 #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
julek-wolfssl wants to merge 5 commits into
base: master
Choose a base branch
from
+1,301 −11
Draft

nginx 1.28.1 #31

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
30fc78c
Add 1.28.0 support
julek-wolfssl Jan 23, 2026
925439b
1.25.0: Fix long tickets error
julek-wolfssl Jan 23, 2026
5da25ed
Satisfy new openssl
julek-wolfssl Jan 23, 2026
59643f0
1.24.0: Fix long tickets error
julek-wolfssl Jan 23, 2026
8a7fa08
Actually 1.28.1 patches
julek-wolfssl Jan 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions nginx-1.28.1-wolfssl-debug.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 4d69557b6..1c1ea2c19 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -134,6 +134,13 @@ int ngx_ssl_certificate_name_index;

u_char ngx_ssl_session_buffer[NGX_SSL_MAX_SESSION_SIZE];

+#ifdef WOLFSSL_NGINX
+void wolfSSL_Log(const int logLevel, const char *const logMessage)
+{
+ (void)logLevel;
+ ngx_log_stderr(0, "wolfSSL: %s", logMessage);
+}
+#endif

ngx_int_t
ngx_ssl_init(ngx_log_t *log)
@@ -208,6 +215,12 @@ ngx_ssl_init(ngx_log_t *log)
#endif
#endif

+#ifdef WOLFSSL_NGINX
+ /* Turn on internal wolfssl debugging to stderr */
+ wolfSSL_SetLoggingCb(wolfSSL_Log);
+ wolfSSL_Debugging_ON();
+#endif
+
#ifndef SSL_OP_NO_COMPRESSION
{
/*
310 changes: 310 additions & 0 deletions nginx-1.28.1-wolfssl.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,310 @@
diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf
index fdf430dff..bf69d0e35 100644
--- a/auto/lib/openssl/conf
+++ b/auto/lib/openssl/conf
@@ -66,8 +66,39 @@ else
ngx_feature_path=
ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL $NGX_LIBPTHREAD"
ngx_feature_test="SSL_CTX_set_options(NULL, 0)"
+
+ if [ $WOLFSSL != NONE ]; then
+ ngx_feature="wolfSSL library in $WOLFSSL"
+ ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include"
+ ngx_feature_incs="
+ #ifndef WOLFSSL_USER_SETTINGS
+ #include <wolfssl/options.h>
+ #endif
+ #include <wolfssl/wolfcrypt/settings.h>
+ #include <openssl/ssl.h>"
+
+ if [ $NGX_RPATH = YES ]; then
+ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
+ else
+ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
+ fi
+
+ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl"
+ CFLAGS="$CFLAGS -DWOLFSSL_NGINX"
+ fi
+
. auto/feature

+ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then
+cat << END
+
+$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl.
+SSL modules require the wolfSSL library.
+
+END
+ exit 1
+ fi
+
if [ $ngx_found = no ]; then

# FreeBSD port
diff --git a/auto/options b/auto/options
index 6a6e990a0..766d7dc43 100644
--- a/auto/options
+++ b/auto/options
@@ -155,6 +155,7 @@ PCRE2=YES
USE_OPENSSL=NO
USE_OPENSSL_QUIC=NO
OPENSSL=NONE
+WOLFSSL=NONE

USE_ZLIB=NO
ZLIB=NONE
@@ -371,6 +372,7 @@ use the \"--with-mail_ssl_module\" option instead"
--with-pcre-jit) PCRE_JIT=YES ;;
--without-pcre2) PCRE2=DISABLED ;;

+ --with-wolfssl=*) WOLFSSL="$value" ;;
--with-openssl=*) OPENSSL="$value" ;;
--with-openssl-opt=*) OPENSSL_OPT="$value" ;;

@@ -601,6 +603,7 @@ cat << END
--with-libatomic force libatomic_ops library usage
--with-libatomic=DIR set path to libatomic_ops library sources

+ --with-wolfssl=DIR set path to wolfSSL headers and library
--with-openssl=DIR set path to OpenSSL library sources
--with-openssl-opt=OPTIONS set additional build options for OpenSSL

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index defffa583..4d69557b6 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -200,6 +200,14 @@ ngx_ssl_init(ngx_log_t *log)

#endif

+#ifdef WOLFSSL_NGINX
+ /* Run all casts on initialization with these FIPS versions to avoid
+ * threaded competition when running them ad hoc */
+ #if FIPS_VERSION3_GE(5,2,1) && !FIPS_VERSION3_GE(6,0,0)
+ wc_RunAllCast_fips();
+ #endif
+#endif
+
#ifndef SSL_OP_NO_COMPRESSION
{
/*
@@ -375,6 +383,8 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
}
#endif

+#ifndef WOLFSSL_NGINX
+ /* These override the options set above. No need to call this. */
#ifdef SSL_CTX_set_min_proto_version
SSL_CTX_set_min_proto_version(ssl->ctx, 0);
SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION);
@@ -384,6 +394,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
SSL_CTX_set_min_proto_version(ssl->ctx, 0);
SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);
#endif
+#endif

#ifdef SSL_OP_NO_COMPRESSION
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
@@ -632,6 +643,12 @@ retry:

x509 = sk_X509_shift(chain);

+#ifdef WOLFSSL_NGINX
+ /* Remove current chain */
+ if (sk_X509_NAME_num(chain) > 0)
+ wolfSSL_UnloadCertsKeys(c->ssl->connection);
+#endif
+
if (SSL_use_certificate(c->ssl->connection, x509) == 0) {
ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
"SSL_use_certificate(\"%s\") failed", cert->data);
@@ -643,7 +660,9 @@ retry:
X509_free(x509);

#ifdef SSL_set0_chain
-
+#ifdef WOLFSSL_NGINX
+#error If SSL_set0_chain is defined then reset this function
+#endif
/*
* SSL_set0_chain() is only available in OpenSSL 1.0.2+,
* but this function is only called via certificate callback,
@@ -656,7 +675,19 @@ retry:
sk_X509_pop_free(chain, X509_free);
return NGX_ERROR;
}
-
+#endif
+#ifdef WOLFSSL_NGINX
+ {
+ int i;
+ for (i = sk_X509_num(chain) - 1; i > 0; i--) {
+ if (wolfSSL_add0_chain_cert(c->ssl->connection,
+ sk_X509_value(chain, i)) == 0) {
+ sk_X509_pop_free(chain, X509_free);
+ return NGX_ERROR;
+ }
+ }
+ sk_X509_pop_free(chain, X509_free);
+ }
#endif

pkey = ngx_ssl_cache_connection_fetch(cache, pool,
@@ -3346,6 +3377,27 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
int n;
ngx_uint_t level;

+#ifdef WOLFSSL_NGINX
+ WOLFSSL_ALERT_HISTORY h;
+
+ if (c && c->ssl && c->ssl->connection) {
+ wolfSSL_get_alert_history(c->ssl->connection, &h);
+ if (h.last_rx.level == alert_warning || h.last_rx.level == alert_fatal ||
+ h.last_tx.level == alert_warning || h.last_tx.level == alert_fatal) {
+ const char *rx_code, *rx_lvl, *tx_code, *tx_lvl;
+ rx_lvl = ((h.last_rx.level == alert_fatal) ? "fatal" : ((h.last_rx.level == alert_warning) ? "warning" : "none"));
+ tx_lvl = ((h.last_tx.level == alert_fatal) ? "fatal" : ((h.last_tx.level == alert_warning) ? "warning" : "none"));
+ rx_code = wolfSSL_alert_desc_string_long(h.last_rx.code);
+ tx_code = wolfSSL_alert_desc_string_long(h.last_tx.code);
+ if (!rx_code) rx_code = "none";
+ if (!tx_code) tx_code = "none";
+ ngx_log_error(NGX_LOG_CRIT, c->log, 0,
+ "%s (RX alert: level=%s,code=%s, TX alert: level=%s,code=%s)",
+ text, rx_lvl, rx_code, tx_lvl, tx_code);
+ }
+ }
+#endif
+
level = NGX_LOG_CRIT;

if (sslerr == SSL_ERROR_SYSCALL) {
@@ -4560,7 +4612,8 @@ ngx_ssl_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
return -1;
}

-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \
+ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS))
if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) {
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
return -1;
@@ -4603,7 +4656,8 @@ ngx_ssl_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
size = 32;
}

-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \
+ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS))
if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) {
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
return -1;
@@ -5115,6 +5169,14 @@ ngx_ssl_get_curve(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)

#endif

+#ifdef WOLFSSL_NGINX
+ s->data = (u_char*)wolfSSL_get_curve_name(c->ssl->connection);
+ if (s->data != NULL) {
+ s->len = ngx_strlen(s->data);
+ return NGX_OK;
+ }
+#endif
+
s->len = 0;
return NGX_OK;
}
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index fe5107fb6..8276e0560 100644
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -14,6 +14,17 @@

#define OPENSSL_SUPPRESS_DEPRECATED

+#ifdef WOLFSSL_NGINX
+#ifdef HAVE_CONFIG_H
+ #include <config.h>
+#endif
+
+#ifndef WOLFSSL_USER_SETTINGS
+ #include <wolfssl/options.h>
+#endif
+#include <wolfssl/wolfcrypt/settings.h>
+#include <openssl/pem.h>
+#endif
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/bn.h>
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index 320d1ee04..03749d832 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -18,7 +18,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
ngx_pool_t *pool, ngx_str_t *s);


+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"

#define NGX_HTTP_ALPN_PROTOS "\x08http/1.1\x08http/1.0\x08http/0.9"
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index ceac8d307..3bd5a94dc 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -935,7 +935,8 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);

#if (defined TLS1_3_VERSION \
- && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
+ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL) && \
+ !defined WOLFSSL_NGINX

/*
* SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
index 176e9c624..85407c8f3 100644
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -10,7 +10,11 @@
#include <ngx_mail.h>


+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"


diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
index ea0b112b8..39bee4416 100644
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -14,7 +14,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
ngx_pool_t *pool, ngx_str_t *s);


+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"


@@ -592,7 +596,8 @@ ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
sscf = ngx_stream_get_module_srv_conf(cscf->ctx, ngx_stream_ssl_module);

#if (defined TLS1_3_VERSION \
- && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
+ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL) && \
+ !defined WOLFSSL_NGINX

/*
* SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
Loading