* [ISSUE] nginx aarch64 cannot serve SSL content
@ 2021-05-17 8:24 cyckl
2021-05-17 10:06 ` nginx aarch64-musl cannot serve over HTTPS Johnnynator
` (7 more replies)
0 siblings, 8 replies; 9+ messages in thread
From: cyckl @ 2021-05-17 8:24 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 6402 bytes --]
New issue by cyckl on void-packages repository
https://github.com/void-linux/void-packages/issues/30945
Description:
<!-- Don't request update of package. We have a script for that. https://alpha.de.repo.voidlinux.org/void-updates/void-updates.txt . However, a quality pull request may help. -->
### System
It's a Raspberry Pi 4B
* xuname:
* `Void 5.4.83_1 aarch64-musl Unknown uptodate rF`
* package:
* `nginx-1.18.0_4`
### Expected behavior
After serving a site on SSL, nginx should send correct response to request for HTTPS content
The following example was taken from `curl` output with the following conditions:
* Server is running on Void x86-64
* `Void 5.11.18_1 x86_64 GenuineIntel uptodate rFFF`
* Same config
* Same certificate
* Same nginx version
* `nginx-1.18.0_4`
* Domain name has been censored.
```
~ # curl -vi https://example.com
* Trying 127.0.0.1:443...
* Connected to example.com (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=example.com
* start date: May 16 21:47:47 2021 GMT
* expire date: Aug 14 21:47:47 2021 GMT
* subjectAltName: host "example.com" matched cert's "example.com"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: example.com
> User-Agent: curl/7.76.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
HTTP/1.1 404 Not Found
< Server: nginx/1.18.0
Server: nginx/1.18.0
< Date: Mon, 17 May 2021 08:04:26 GMT
Date: Mon, 17 May 2021 08:04:26 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 153
Content-Length: 153
< Connection: keep-alive
Connection: keep-alive
< Strict-Transport-Security: max-age=31536000; includeSubDomains
Strict-Transport-Security: max-age=31536000; includeSubDomains
<
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.18.0</center>
</body>
</html>
* Connection #0 to host example.com left intact
```
### Actual behavior
nginx will send an empty response on SSL requests, at least on my aarch64 install of the package
The following example was taken from `curl` output with the following conditions:
* Server is running on Void aarch64
* `Void 5.4.83_1 aarch64-musl Unknown uptodate rF`
* Same config
* Same certificate
* Same nginx version
* `nginx-1.18.0_4`
* Domain name has been censored.
```
* Connected to example.com (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/cacert.pem
* CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [4060 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=example.com
* start date: May 16 21:47:47 2021 GMT
* expire date: Aug 14 21:47:47 2021 GMT
* subjectAltName: host "example.com" matched cert's "example.com"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x15b00d400)
} [5 bytes data]
> GET / HTTP/2
> Host: example.com
> user-agent: curl/7.76.0
> accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
} [5 bytes data]
* Empty reply from server
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Closing connection 0
} [5 bytes data]
* TLSv1.3 (OUT), TLS alert, close notify (256):
} [2 bytes data]
curl: (52) Empty reply from server
```
### Steps to reproduce the behavior
* Configure nginx on any aarch64 / aarch64-musl (not sure yet) Void install
* Enable SSL on a server block
* Access from a browser / `curl` from website
### Extra information
* nginx does not log the error in the `error.log` located in `/var/log/nginx/error.log`
* Configuration is known-good on Raspbian
* Attempted to use stock config shipped with package on Void and enabling SSL to no avail, same issue
* Works on x86-64 with the exact same configuration, certificates, domain, package version
### Ideas
As I've tested the exact same package on different architectures, the only difference between the two is that there is a patch for the nginx package applied for ARM systems. It appears that the patch is in order to adjust certain configuration values on compilation to fit the ARM architecture, which also leads me to believe that it could be related. A good way to test would be with a few different architectures to see if it's only limited to ARM or maybe something platform specific.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: nginx aarch64-musl cannot serve over HTTPS
2021-05-17 8:24 [ISSUE] nginx aarch64 cannot serve SSL content cyckl
@ 2021-05-17 10:06 ` Johnnynator
2021-05-17 10:12 ` paper42
` (6 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Johnnynator @ 2021-05-17 10:06 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 194 bytes --]
New comment by Johnnynator on void-packages repository
https://github.com/void-linux/void-packages/issues/30945#issuecomment-842196779
Comment:
Can confirm, this also happens on aarch64 glibc
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: nginx aarch64-musl cannot serve over HTTPS
2021-05-17 8:24 [ISSUE] nginx aarch64 cannot serve SSL content cyckl
2021-05-17 10:06 ` nginx aarch64-musl cannot serve over HTTPS Johnnynator
@ 2021-05-17 10:12 ` paper42
2021-05-17 11:14 ` Johnnynator
` (5 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: paper42 @ 2021-05-17 10:12 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 290 bytes --]
New comment by paper42 on void-packages repository
https://github.com/void-linux/void-packages/issues/30945#issuecomment-842201147
Comment:
3 weeks ago I had HTTPS working on my RPI3B (aarch64-musl), I can not test it now. The only difference was that I was using a local CA certificate.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: nginx aarch64-musl cannot serve over HTTPS
2021-05-17 8:24 [ISSUE] nginx aarch64 cannot serve SSL content cyckl
2021-05-17 10:06 ` nginx aarch64-musl cannot serve over HTTPS Johnnynator
2021-05-17 10:12 ` paper42
@ 2021-05-17 11:14 ` Johnnynator
2021-05-17 11:14 ` Johnnynator
` (4 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Johnnynator @ 2021-05-17 11:14 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 369 bytes --]
New comment by Johnnynator on void-packages repository
https://github.com/void-linux/void-packages/issues/30945#issuecomment-842238549
Comment:
Correction, I just messed up in my quickly setup configuration, and my certs had wrong permissions. It works on glibc.
On glibc it seems that `http2` is broken
@cyckl can you check if your config works without http2?
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: nginx aarch64-musl cannot serve over HTTPS
2021-05-17 8:24 [ISSUE] nginx aarch64 cannot serve SSL content cyckl
` (2 preceding siblings ...)
2021-05-17 11:14 ` Johnnynator
@ 2021-05-17 11:14 ` Johnnynator
2021-05-17 11:17 ` Johnnynator
` (3 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Johnnynator @ 2021-05-17 11:14 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 368 bytes --]
New comment by Johnnynator on void-packages repository
https://github.com/void-linux/void-packages/issues/30945#issuecomment-842238549
Comment:
Correction, I just messed up in my quickly setup configuration, and my certs had wrong permissions. It works on glibc.
On musl it seems that `http2` is broken
@cyckl can you check if your config works without http2?
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: nginx aarch64-musl cannot serve over HTTPS
2021-05-17 8:24 [ISSUE] nginx aarch64 cannot serve SSL content cyckl
` (3 preceding siblings ...)
2021-05-17 11:14 ` Johnnynator
@ 2021-05-17 11:17 ` Johnnynator
2021-05-17 11:31 ` Johnnynator
` (2 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Johnnynator @ 2021-05-17 11:17 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 334 bytes --]
New comment by Johnnynator on void-packages repository
https://github.com/void-linux/void-packages/issues/30945#issuecomment-842238549
Comment:
This only affects http2, and seems to be a cross compilation issue, when compiled natively it seems to work on aarch64 (glibc).
@cyckl can you check if your config works without http2?
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: nginx aarch64-musl cannot serve over HTTPS
2021-05-17 8:24 [ISSUE] nginx aarch64 cannot serve SSL content cyckl
` (4 preceding siblings ...)
2021-05-17 11:17 ` Johnnynator
@ 2021-05-17 11:31 ` Johnnynator
2021-05-17 11:49 ` [ISSUE] [CLOSED] " Johnnynator
2021-05-17 15:14 ` cyckl
7 siblings, 0 replies; 9+ messages in thread
From: Johnnynator @ 2021-05-17 11:31 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 314 bytes --]
New comment by Johnnynator on void-packages repository
https://github.com/void-linux/void-packages/issues/30945#issuecomment-842249160
Comment:
https://github.com/void-linux/void-packages/blob/master/srcpkgs/nginx/template#L88
this is most likely the issue, we use a ton of wrong values for aarch64 in there.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [ISSUE] [CLOSED] nginx aarch64-musl cannot serve over HTTPS
2021-05-17 8:24 [ISSUE] nginx aarch64 cannot serve SSL content cyckl
` (5 preceding siblings ...)
2021-05-17 11:31 ` Johnnynator
@ 2021-05-17 11:49 ` Johnnynator
2021-05-17 15:14 ` cyckl
7 siblings, 0 replies; 9+ messages in thread
From: Johnnynator @ 2021-05-17 11:49 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 6628 bytes --]
Closed issue by cyckl on void-packages repository
https://github.com/void-linux/void-packages/issues/30945
Description:
<!-- Don't request update of package. We have a script for that. https://alpha.de.repo.voidlinux.org/void-updates/void-updates.txt . However, a quality pull request may help. -->
### System
It's a Raspberry Pi 4B
* xuname:
* `Void 5.4.83_1 aarch64-musl Unknown uptodate rF`
* package:
* `nginx-1.18.0_4`
Custom image built with `rpi4-kernel` and `rpi4-base`
### Expected behavior
After serving a site on SSL, nginx should send correct response to request for HTTPS content
The following example was taken from `curl` output with the following conditions:
* Server is running on Void x86-64
* `Void 5.11.18_1 x86_64 GenuineIntel uptodate rFFF`
* Same config
* Same certificate
* Same nginx version
* `nginx-1.18.0_4`
* Domain name has been censored.
```
~ # curl -vi https://example.com
* Trying 127.0.0.1:443...
* Connected to example.com (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=example.com
* start date: May 16 21:47:47 2021 GMT
* expire date: Aug 14 21:47:47 2021 GMT
* subjectAltName: host "example.com" matched cert's "example.com"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: example.com
> User-Agent: curl/7.76.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
HTTP/1.1 404 Not Found
< Server: nginx/1.18.0
Server: nginx/1.18.0
< Date: Mon, 17 May 2021 08:04:26 GMT
Date: Mon, 17 May 2021 08:04:26 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 153
Content-Length: 153
< Connection: keep-alive
Connection: keep-alive
< Strict-Transport-Security: max-age=31536000; includeSubDomains
Strict-Transport-Security: max-age=31536000; includeSubDomains
<
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.18.0</center>
</body>
</html>
* Connection #0 to host example.com left intact
```
### Actual behavior
nginx will send an empty response on SSL requests, at least on my aarch64-musl install of the package
The following example was taken from `curl` output with the following conditions:
* Server is running on Void aarch64-musl
* `Void 5.4.83_1 aarch64-musl Unknown uptodate rF`
* Same config
* Same certificate
* Same nginx version
* `nginx-1.18.0_4`
* Domain name has been censored.
```
* Connected to example.com (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/cacert.pem
* CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [4060 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=example.com
* start date: May 16 21:47:47 2021 GMT
* expire date: Aug 14 21:47:47 2021 GMT
* subjectAltName: host "example.com" matched cert's "example.com"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x15b00d400)
} [5 bytes data]
> GET / HTTP/2
> Host: example.com
> user-agent: curl/7.76.0
> accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
} [5 bytes data]
* Empty reply from server
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Closing connection 0
} [5 bytes data]
* TLSv1.3 (OUT), TLS alert, close notify (256):
} [2 bytes data]
curl: (52) Empty reply from server
```
### Steps to reproduce the behavior
* Configure nginx on any aarch64 / aarch64-musl (not sure yet) Void install
* Enable SSL on a server block
* Access from a browser / `curl` from website
### Extra information
* nginx does not log the error in the `error.log` located in `/var/log/nginx/error.log`
* Configuration is known-good on Raspbian
* Attempted to use stock config shipped with package on Void and enabling SSL to no avail, same issue
* Works on x86-64 with the exact same configuration, certificates, domain, package version
### Ideas
As I've tested the exact same package on different architectures, the only difference between the two is that there is a patch for the nginx package applied for ARM systems. It appears that the patch is in order to adjust certain configuration values on compilation to fit the ARM architecture, which also leads me to believe that it could be related. A good way to test would be with a few different architectures to see if it's only limited to ARM or maybe something platform specific.
It could also be musl specific, as that is another difference between the two systems and that difference has been known to break packages historically.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: nginx aarch64-musl cannot serve over HTTPS
2021-05-17 8:24 [ISSUE] nginx aarch64 cannot serve SSL content cyckl
` (6 preceding siblings ...)
2021-05-17 11:49 ` [ISSUE] [CLOSED] " Johnnynator
@ 2021-05-17 15:14 ` cyckl
7 siblings, 0 replies; 9+ messages in thread
From: cyckl @ 2021-05-17 15:14 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 252 bytes --]
New comment by cyckl on void-packages repository
https://github.com/void-linux/void-packages/issues/30945#issuecomment-842407352
Comment:
This worked perfectly. Thank you so much! For future reference I remember turning off http2 without any luck...
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2021-05-17 15:14 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-17 8:24 [ISSUE] nginx aarch64 cannot serve SSL content cyckl
2021-05-17 10:06 ` nginx aarch64-musl cannot serve over HTTPS Johnnynator
2021-05-17 10:12 ` paper42
2021-05-17 11:14 ` Johnnynator
2021-05-17 11:14 ` Johnnynator
2021-05-17 11:17 ` Johnnynator
2021-05-17 11:31 ` Johnnynator
2021-05-17 11:49 ` [ISSUE] [CLOSED] " Johnnynator
2021-05-17 15:14 ` cyckl
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).