Debian jessie nginx with openssl 1.0.2 to use ALPN rather than NPN
1.9.10-1~bpo8+3 was built against
openssl >= 1.0.2~. Getting
ALPN working now if running
jessie just requires the packages out of
jessie-backports, no need anymore to pull packages out of
Original answer: Well, here goes my answer, according to the comments: In my opinion, there aren't that many ways to solve this as of today, 2016/05/09. Basically you've to try somehow to get a modern
nginx into your system, compiled against
>= openssl 1.0.2~.
The only two options I see currently: Either you compile for yourself, which you don't want to do, which is quite understandable, or you pull in modern packages out of
Debian stretch into your system. This involves some risks, because you're mixing a stable environment with another one, but in my opinion these risks are quite low, because you're using
So, let's go and try out this:
Debian stretchrepository to your
apt sources. Don't use
/etc/apt/sources.listfor this, but instead use a dedicated file inside
/etc/apt/sources.list.d/to keep it clean, personally I'm using
Put these lines inside there:
deb http://httpredir.debian.org/debian/ stretch main contrib non-free deb-src http://httpredir.debian.org/debian/ stretch main contrib non-free deb http://security.debian.org/ stretch/updates main contrib non-free deb-src http://security.debian.org/ stretch/updates main contrib non-free # stretch-updates, previously known as 'volatile' deb http://httpredir.debian.org/debian/ stretch-updates main contrib non-free deb-src http://httpredir.debian.org/debian/ stretch-updates main contrib non-free
Set up apt pinning to make sure you only pull in packages out of
Debian stretchwhich you're specifying. The file to use for this is
/etc/apt/preferences, inside there, put:
Package: * Pin: release n=jessie Pin-Priority: 900 Package: * Pin: release a=jessie-backports Pin-Priority: 500 Package: * Pin: release n=stretch Pin-Priority: 100
(You might have to alter the suites and priorities to fit your environment.)
root) to update the package cache.
apt-get install -t stretch nginx(do this via
As I described in my comment(s), to even lower the risks involved, you could use something like a chroot or a container-solution like LXC. In case you want to go the
chrootway, you have to set up a network interface inside there: To do this, have a look at this blogpost for example, which gives an introduction to
Hope this helps; in case you've got more question, feel free to contact me. I would appreciate feedback and I'm interested in how it goes.
Another method is to install OpenSSL 1.0.2 from jessie-backports and use Ubuntu 16.04 LTS builds from nginx's own repository. That way you're at least using an OpenSSL package built for Jessie.
# jessie-backports, from stretch-level but with no dependencies deb http://httpredir.debian.org/debian/ jessie-backports main contrib non-free deb-src http://httpredir.debian.org/debian/ jessie-backports main contrib non-free # Nginx repository - use Ubuntu 16.04 LTS Xenial to get packages compiled with OpenSSL 1.0.2 deb http://nginx.org/packages/mainline/ubuntu/ xenial nginx deb-src http://nginx.org/packages/mainline/ubuntu/ xenial nginx
apt-get update apt-get install -t jessie-backports openssl apt-get install nginx
This obviously puts you into an officially unsupported configuration, but perhaps that's better than not having a package at all - and it worked for me. Plus, using nginx's repo means you get fresh updates.