How to Enable ALPN with OpenSSL 1.0.2 on Debian Jessie for NGINX HTTP/2 Support


3 views

Debian Jessie ships with OpenSSL 1.0.1, which means NGINX compiled against this version can only use NPN (Next Protocol Negotiation) for HTTP/2. Modern browsers like Chrome have already dropped NPN support in favor of ALPN (Application-Layer Protocol Negotiation), which requires OpenSSL 1.0.2+.

Here's how to install OpenSSL 1.0.2 alongside the system version without breaking dependencies:

# Download and build OpenSSL 1.0.2
wget https://www.openssl.org/source/openssl-1.0.2u.tar.gz
tar -xzf openssl-1.0.2u.tar.gz
cd openssl-1.0.2u
./config --prefix=/opt/openssl-1.0.2 --openssldir=/opt/openssl-1.0.2 shared
make
make install

Now compile NGINX against the new OpenSSL:

./configure \
--with-openssl=/opt/openssl-1.0.2 \
--with-http_v2_module \
--with-http_ssl_module
make
sudo make install

Check if ALPN is properly enabled:

nginx -V 2>&1 | grep -i openssl
# Should show your custom OpenSSL path

openssl s_client -alpn h2 -connect yourdomain.com:443
# Look for "ALPN protocol: h2" in output

To maintain system stability:

  • Add /opt/openssl-1.0.2/lib to /etc/ld.so.conf.d/openssl.conf
  • Run ldconfig after installation
  • Set LD_LIBRARY_PATH for nginx service: Environment=LD_LIBRARY_PATH=/opt/openssl-1.0.2/lib

Some users reported success with backports:

echo "deb http://ftp.debian.org/debian jessie-backports main" | sudo tee /etc/apt/sources.list.d/jessie-backports.list
apt-get update
apt-get -t jessie-backports install openssl

Note that this might not always provide OpenSSL 1.0.2 depending on the backport status.

While this solution works, be aware that:

  • You'll need to manually update OpenSSL when vulnerabilities are discovered
  • Consider upgrading to Debian Stretch/Buster for long-term support
  • Test thoroughly before deploying to production

While upgrading to Nginx 1.10 on Debian Jessie brings HTTP/2 support, the OpenSSL 1.0.1t default installation creates compatibility issues with modern browsers. Chrome's decision to drop NPN support forces us to find solutions for ALPN implementation.

The most reliable approach involves compiling OpenSSL 1.0.2 alongside the system version:

# Install build dependencies
sudo apt-get build-dep openssl

# Download and compile OpenSSL 1.0.2
wget https://www.openssl.org/source/openssl-1.0.2u.tar.gz
tar -xvzf openssl-1.0.2u.tar.gz
cd openssl-1.0.2u
./config --prefix=/usr/local/openssl-1.0.2 --openssldir=/usr/local/openssl-1.0.2 shared
make depend
make
sudo make install

After installing OpenSSL 1.0.2, rebuild Nginx with the new library:

# Get Nginx source matching your installed version
sudo apt-get source nginx

# Configure with custom OpenSSL
cd nginx-1.10.*
./configure --with-openssl=/usr/local/openssl-1.0.2 \
            --with-http_ssl_module \
            --with-http_v2_module \
            --prefix=/etc/nginx \
            --conf-path=/etc/nginx/nginx.conf \
            # Your existing configure parameters

make
sudo make install

Use these commands to verify ALPN support:

openssl s_client -alpn h2 -connect yourdomain.com:443
nginx -V 2>&1 | grep -oE "openssl-1.0.2"

For browser testing, Chrome's chrome://net-internals/#http2 provides detailed protocol information.

For those preferring package management:

  • Debian Backports: Monitor for possible OpenSSL 1.0.2 backports
  • Third-party Repos: Consider trusted repositories like jessie-backports-sloppy
  • Docker Containers: Run Nginx in containers with newer OpenSSL versions

When manually compiling OpenSSL:

  1. Set up monitoring for security updates
  2. Document the compilation process for future reference
  3. Consider implementing a build script for repeatable deployments