Page MenuHomePhabricator
Create Task
Maniphest T96850

Test then switch to openssl 1.0.2 + nginx 1.9.2
Closed, ResolvedPublic
Actions

Description

Neither of these are currently in jessie's stable package set. However, both are desirable sometime this year, enough that we will probably bite the bullet on using a backports package and/or rolling our own that we have to maintain security on.

The driver for openssl 1.0.2 is ALPN support (which isn't important until we get HTTP/2)
The drivers for nginx 1.9.2:

  • lots of non-sec bugfixes for "newer" features that we are using are simply not backported to 1.6.x (several already for SPDY, OCSP Stapling, etc)
  • general background on nginx mainline-vs-stable: http://nginx.com/blog/nginx-1-6-1-7-released/
  • SO_REUSEPORT support

This will all be interrelated with HTTP/2 support as well, but that may not land in nginx until some later version.

Note that for ALPN, the updated nginx package has to have been compiled against headers from the updated openssl package.

Related Objects
Search...

Event Timeline

BBlack created this task.Apr 22 2015, 1:52 PM
BBlack raised the priority of this task from to Low.
BBlack updated the task description. (Show Details)
BBlack added projects: acl*sre-team, Traffic.
BBlack subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 22 2015, 1:52 PM
BBlack added a parent task: T96848: Support HTTP/2.Apr 22 2015, 1:53 PM
faidon subscribed.Apr 22 2015, 1:55 PM
BBlack added a parent task: T96851: Evaluate limited caching inside nginx.Apr 22 2015, 1:58 PM
BBlack renamed this task from Package/backport openssl 1.0.2 + nginx 1.7.x to Package/backport openssl 1.0.2 + nginx 1.7.x or higher.Apr 22 2015, 3:57 PM
BBlack updated the task description. (Show Details)
BBlack set Security to None.
BBlack moved this task from Backlog to Blocked on External on the Traffic board.Apr 23 2015, 1:52 PM

Waiting for the (relatively-imminent) official Jessie release before making any further decisions here...

MoritzMuehlenhoff subscribed.Apr 24 2015, 8:46 AM
BBlack changed the task status from Open to Stalled.Apr 26 2015, 11:07 PM
BBlack moved this task from Blocked on External to Backlog on the Traffic board.
BBlack added a comment.Jun 5 2015, 1:12 AM

@faidon just pointed out the [[ http://nginx.com/blog/socket-sharding-nginx-release-1-9-1/ | 1.9.1 release has added SO_REUSEPORT ]], which would be a really huge win at our traffic scale. That's a big reason to lump onto the others at the top here to update to our own, newer package. The general idea of rolling our own (of any version) would also let us do a multicert patch for deploying ECDSA certs, which recently became possible with our cert provider...

MoritzMuehlenhoff added a comment.Jun 22 2015, 10:44 AM

nginx 1.9.2 is now in Debian unstable

BBlack added a parent task: T86654: Switch to ECDSA hybrid certificates.Jun 22 2015, 12:05 PM
BBlack renamed this task from Package/backport openssl 1.0.2 + nginx 1.7.x or higher to Test then switch to openssl 1.0.2 + nginx 1.9.2.Jun 22 2015, 12:07 PM
BBlack changed the task status from Stalled to Open.
BBlack updated the task description. (Show Details)
BBlack closed this task as Resolved.Jun 28 2015, 7:37 PM
BBlack claimed this task.

We've already switched to nginx 1.9.2 w/ SO_REUSEPORT enabled. We're still using debian's openssl 1.0.1 with it for now, but we'll address openssl upgrades separately as part of the ECDSA and/or HTTP/2 tickets linked as blockers here.

Restricted Application added a subscriber: Matanya. · View Herald TranscriptJun 28 2015, 7:37 PM
BBlack moved this task from Backlog to Done on the Traffic board.Jun 28 2015, 7:38 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits