Page MenuHomePhabricator

Test then switch to openssl 1.0.2 + nginx 1.9.2
Closed, ResolvedPublic

Description

Neither of these are currently in jessie's stable package set. However, both are desirable sometime this year, enough that we will probably bite the bullet on using a backports package and/or rolling our own that we have to maintain security on.

The driver for openssl 1.0.2 is ALPN support (which isn't important until we get HTTP/2)
The drivers for nginx 1.9.2:

  • lots of non-sec bugfixes for "newer" features that we are using are simply not backported to 1.6.x (several already for SPDY, OCSP Stapling, etc)
  • general background on nginx mainline-vs-stable: http://nginx.com/blog/nginx-1-6-1-7-released/
  • SO_REUSEPORT support

This will all be interrelated with HTTP/2 support as well, but that may not land in nginx until some later version.

Note that for ALPN, the updated nginx package has to have been compiled against headers from the updated openssl package.

Event Timeline

BBlack created this task.Apr 22 2015, 1:52 PM
BBlack raised the priority of this task from to Low.
BBlack updated the task description. (Show Details)
BBlack added projects: acl*sre-team, Traffic.
BBlack added a subscriber: BBlack.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 22 2015, 1:52 PM
faidon added a subscriber: faidon.Apr 22 2015, 1:55 PM
BBlack renamed this task from Package/backport openssl 1.0.2 + nginx 1.7.x to Package/backport openssl 1.0.2 + nginx 1.7.x or higher.Apr 22 2015, 3:57 PM
BBlack updated the task description. (Show Details)
BBlack set Security to None.
BBlack moved this task from Triage to Blocked on External on the Traffic board.Apr 23 2015, 1:52 PM

Waiting for the (relatively-imminent) official Jessie release before making any further decisions here...

BBlack changed the task status from Open to Stalled.Apr 26 2015, 11:07 PM
BBlack moved this task from Blocked on External to Triage on the Traffic board.
BBlack added a comment.Jun 5 2015, 1:12 AM

@faidon just pointed out the 1.9.1 release has added SO_REUSEPORT, which would be a really huge win at our traffic scale. That's a big reason to lump onto the others at the top here to update to our own, newer package. The general idea of rolling our own (of any version) would also let us do a multicert patch for deploying ECDSA certs, which recently became possible with our cert provider...

nginx 1.9.2 is now in Debian unstable

BBlack renamed this task from Package/backport openssl 1.0.2 + nginx 1.7.x or higher to Test then switch to openssl 1.0.2 + nginx 1.9.2.Jun 22 2015, 12:07 PM
BBlack changed the task status from Stalled to Open.
BBlack updated the task description. (Show Details)
BBlack closed this task as Resolved.Jun 28 2015, 7:37 PM
BBlack claimed this task.

We've already switched to nginx 1.9.2 w/ SO_REUSEPORT enabled. We're still using debian's openssl 1.0.1 with it for now, but we'll address openssl upgrades separately as part of the ECDSA and/or HTTP/2 tickets linked as blockers here.

Restricted Application added a subscriber: Matanya. · View Herald TranscriptJun 28 2015, 7:37 PM
BBlack moved this task from Triage to Done on the Traffic board.Jun 28 2015, 7:38 PM