Exclamation You have stumbled across the development site for xeiaso.net. Please do not share this link with others, don't be the reason I need something more robust than the honor system.

How to make NixOS compile nginx with OpenSSL 1.x

Published on , 428 words, 2 minutes to read

An image of A picture of the small island in a retaining pond near a walking path
A picture of the small island in a retaining pond near a walking path - Photo by Xe Iaso

One of the strengths of NixOS is that you can use NixOS modules to do things like override versions of packages so that you can customize what software is running on your computer. You can use this to manually patch programs, or alternatively override dependencies with other versions. Today I'm going to show you how to use an overlay to force NixOS to rebuild nginx with OpenSSL 1.1.1 instead of OpenSSL 3.x. You may want to do this if you want to reduce risks involved with the CRITICAL security issue announced for OpenSSL 3.x (OpenSSL 1.1.1 isn't listed as CRITICAL).

Open your configuration.nix file and add this inside the module block:

nixpkgs.overlays = [
  (final: prev: {
    nginxStable = prev.nginxStable.override { openssl = prev.openssl_1_1; };
  })
];
Mara is hacker
Mara

If you are using NixOS 22.05, use the package openssl instead of openssl_1_1.

This will create an overlay that will replace the nginx package with a version that has OpenSSL replaced with the OpenSSL 1.x package.

Mara is hacker
Mara
You need to use nginxStable here instead of nginx because services.nginx.package defaults to nginxStable. Alternatively you can use something like this to change the nginx package directly: services.nginx.package = (pkgs.nginxStable.override { openssl = pkgs.openssl_1_1; }); This may be ideal depending on facts and circumstances.

It uses an override to change the version of OpenSSL that is passed into the package build. This works because packages in nixpkgs are defined something like this:

{ stdenv, openssl, fetchurl }:

stdenv.mkDerivation {
  # whatever is needed to build the software
}

Each of the inputs in the top line are arguments to the package (which is modeled as a function). When you use .override, you are overriding the arguments you pass to the package functions. This means that when you use that overlay I pasted, you will be overriding the version of OpenSSL passed to the nginx build process, which will make nginx depend on OpenSSL 1.x.

Depending on the software in question, you should be able to use this strategy to patch any other public-facing programs. The only catch is that software will need to be compatible with OpenSSL 1.x.

Cadey is coffee
Cadey

You may want to remove this as soon as NixOS unstable advances to OpenSSL 3.0.7.

Mara is hacker
Mara

Thanks to ckie for reviewing this post for correctness!

Facts and circumstances may have changed since publication. Please contact me before jumping to conclusions if something seems wrong or unclear.

Tags: openssl, nginx