/ Register

Welcome to Centmin Mod Community
Register Now

Beta Branch add NGINX_SPDYPATCHED variable support 123.09beta01

Discussion in 'Centmin Mod Github Commits' started by eva2000, Jun 22, 2016.

Tags:
Previous Thread Next Thread
Loading...
  1. Jun 22, 2016 #1
    eva2000

    eva2000 Administrator Staff Member

    35,074
    7,742
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,941
    Local Time:
    1:41 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    add NGINX_SPDYPATCHED variable support 123.09beta01

    Disabled by default with NGINX_SPDYPATCHED='n'. Experimental HTTP/2 + SPDY Cloudflare Nginx patch support as outlined at https://blog.cloudflare.com/open-sourcing-our-nginx-http-2-spdy-code/ and discussed https://community.centminmod.com/threads/http-2-spdy-patch-for-nginx-1-10-nginx-1-11.7516/. Nginx patch made for Nginx 1.9.7 so no guarantees it works on Nginx 1.11.1.

    To enable patch set in persistent config file you create or append at /etc/centminmod/custom_config.inc the variable
    Code (Text):
    NGINX_SPDYPATCHED='y'

    Then centmin.sh menu option 4 to recompile Nginx 1.11.1 or higher. Then double check your nginx vhost config files that listen option line contains both spdy and http2 flags.

    To disable patch comment out the line or set in /etc/centminmod/custom_config.inc
    Code (Text):
    NGINX_SPDYPATCHED='n'

    Then centmin.sh menu option 4 to recompile Nginx 1.11.1 or higher. Then double check your nginx vhost config files that listen option line contains only http2 flags.

    Note there's no guarantee this works on subsequent Nginx 1.11.1+ version updates and may break which maybe problematic if newer Nginx versions involve security updates you want to update for.

    Continue reading...

    123.09beta01 branch

     
  2. Jun 22, 2016 #2
    eva2000

    eva2000 Administrator Staff Member

    35,074
    7,742
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,941
    Local Time:
    1:41 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    FYI doesn't work = broken so don't try !
    Code (Text):
            -o objs/src/http/modules/ngx_http_ssl_module.o \
        src/http/modules/ngx_http_ssl_module.c
src/http/modules/ngx_http_ssl_module.c:445:5: error: expected statement
    }
    ^
1 error generated.
make[1]: *** [objs/src/http/modules/ngx_http_ssl_module.o] Error 1
make[1]: Leaving directory `/svr-setup/nginx-1.11.1'
make: *** [install] Error 2
     
  3. Jun 22, 2016 #3
    bassie

    bassie Active Member

    869
    203
    43
    Apr 29, 2016
    Ratings:
    +609
    Local Time:
    5:41 AM
    Use the Felix patch and you will be fine.
     
  4. Jun 22, 2016 #4
    eva2000

    eva2000 Administrator Staff Member

    35,074
    7,742
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,941
    Local Time:
    1:41 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Just tried fails at same place !

    Code (Text):
    ######################################################################
Patching Nginx for HTTP/2 + SPDY Support
######################################################################
Cloudflare Nginx HTTP/2 + SPDY patch
https://github.com/felixbuenemann/sslconfig/raw/master/patches/nginx__http2_spdy.patch
######################################################################
2016-06-22 13:16:54 URL:https://raw.githubusercontent.com/felixbuenemann/sslconfig/master/patches/nginx__http2_spdy.patch [186213/186213] -> "nginx__http2_spdy.patch" [1]
patching file auto/modules
Hunk #1 succeeded at 139 (offset 44 lines).
Hunk #2 FAILED at 120.
Hunk #3 FAILED at 189.
2 out of 3 hunks FAILED -- saving rejects to file auto/modules.rej
patching file auto/options
Hunk #1 succeeded at 60 (offset 1 line).
Hunk #2 succeeded at 220 (offset 8 lines).
Hunk #3 succeeded at 400 (offset 19 lines).
patching file auto/sources
Hunk #1 succeeded at 249 with fuzz 2 (offset -80 lines).
patching file src/core/ngx_connection.h
Hunk #1 succeeded at 120 (offset 1 line).
patching file src/http/modules/ngx_http_ssl_module.c
Hunk #2 succeeded at 343 (offset 1 line).
Hunk #3 succeeded at 364 (offset 1 line).
Hunk #4 succeeded at 398 (offset 1 line).
patching file src/http/ngx_http.c
Hunk #1 succeeded at 1223 (offset -13 lines).
Hunk #2 succeeded at 1261 (offset -35 lines).
Hunk #3 succeeded at 1298 (offset -35 lines).
Hunk #4 succeeded at 1344 (offset -35 lines).
Hunk #5 succeeded at 1849 (offset -34 lines).
Hunk #6 succeeded at 1952 with fuzz 2 (offset 1 line).
patching file src/http/ngx_http.h
patching file src/http/ngx_http_core_module.c
Hunk #1 succeeded at 2138 (offset 6 lines).
Hunk #2 succeeded at 2489 (offset 6 lines).
Hunk #3 succeeded at 4229 (offset 10 lines).
patching file src/http/ngx_http_core_module.h
Hunk #1 succeeded at 71 (offset -11 lines).
Hunk #2 succeeded at 243 (offset -11 lines).
patching file src/http/ngx_http_request.c
Hunk #1 succeeded at 316 (offset 4 lines).
Hunk #2 succeeded at 806 (offset 4 lines).
Hunk #3 succeeded at 2550 (offset 7 lines).
Hunk #4 succeeded at 2775 with fuzz 2 (offset 161 lines).
Hunk #5 succeeded at 2828 with fuzz 2 (offset 118 lines).
Hunk #6 succeeded at 3042 with fuzz 2 (offset 252 lines).
Hunk #7 succeeded at 3470 (offset -1 lines).
patching file src/http/ngx_http_request.h
Hunk #1 succeeded at 441 (offset 6 lines).
patching file src/http/ngx_http_request_body.c
Hunk #1 succeeded at 52 with fuzz 2 (offset 5 lines).
Hunk #2 succeeded at 531 with fuzz 2 (offset -52 lines).
patching file src/http/ngx_http_spdy.c
patching file src/http/ngx_http_spdy.h
patching file src/http/ngx_http_spdy_filter_module.c
patching file src/http/ngx_http_spdy_module.c
patching file src/http/ngx_http_spdy_module.h
patching file src/http/ngx_http_upstream.c
Hunk #1 succeeded at 493 (offset 12 lines).
Hunk #2 succeeded at 1187 (offset 25 lines).


     
    Last edited: Jun 22, 2016
  5. Jun 22, 2016 #5
    bassie

    bassie Active Member

    869
    203
    43
    Apr 29, 2016
    Ratings:
    +609
    Local Time:
    5:41 AM
    Weird, working fine here since 26 days now with both 1.10 and 1.11.
    Did you compile it against a clean Nginx?
    Could be a 3th party plugin.
     
    • Like Like x 1
  6. Jun 22, 2016 #6
    eva2000

    eva2000 Administrator Staff Member

    35,074
    7,742
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,941
    Local Time:
    1:41 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    yeah did try on nginx clean, could be 3rd party who knows.. will try again later

    line 445 is related to the middle line of src/http/modules/ngx_http_ssl_module.c
    Code (Text):
    #if (NGX_HTTP_V2 || NGX_HTTP_SPDY)
    }
#endif

    Patch basically didn't cleanly update the right lines
    upload_2016-6-22_23-38-0.png
    Code (Text):
    ######################################################################
Patching Nginx for HTTP/2 + SPDY Support
######################################################################
Cloudflare Nginx HTTP/2 + SPDY patch
https://github.com/felixbuenemann/sslconfig/raw/master/patches/nginx__http2_spdy.patch
######################################################################
2016-06-22 13:32:43 URL:https://raw.githubusercontent.com/felixbuenemann/sslconfig/master/patches/nginx__http2_spdy.patch [186213/186213] -> "nginx__http2_spdy.patch" [1]
patching file auto/modules
Hunk #1 succeeded at 139 (offset 44 lines).
Hunk #2 FAILED at 120.
Hunk #3 FAILED at 189.
2 out of 3 hunks FAILED -- saving rejects to file auto/modules.rej
patching file auto/options
Hunk #1 succeeded at 60 (offset 1 line).
Hunk #2 succeeded at 220 (offset 8 lines).
Hunk #3 succeeded at 400 (offset 19 lines).
patching file auto/sources
Hunk #1 succeeded at 249 with fuzz 2 (offset -80 lines).
patching file src/core/ngx_connection.h
Hunk #1 succeeded at 120 (offset 1 line).
patching file src/http/modules/ngx_http_ssl_module.c
Hunk #2 succeeded at 343 (offset 1 line).
Hunk #3 succeeded at 364 (offset 1 line).
Hunk #4 succeeded at 398 (offset 1 line).
patching file src/http/ngx_http.c
Hunk #1 succeeded at 1223 (offset -13 lines).
Hunk #2 succeeded at 1261 (offset -35 lines).
Hunk #3 succeeded at 1298 (offset -35 lines).
Hunk #4 succeeded at 1344 (offset -35 lines).
Hunk #5 succeeded at 1849 (offset -34 lines).
Hunk #6 succeeded at 1952 with fuzz 2 (offset 1 line).
patching file src/http/ngx_http.h
patching file src/http/ngx_http_core_module.c
Hunk #1 succeeded at 2138 (offset 6 lines).
Hunk #2 succeeded at 2489 (offset 6 lines).
Hunk #3 succeeded at 4229 (offset 10 lines).
patching file src/http/ngx_http_core_module.h
Hunk #1 succeeded at 71 (offset -11 lines).
Hunk #2 succeeded at 243 (offset -11 lines).
patching file src/http/ngx_http_request.c
Hunk #1 succeeded at 316 (offset 4 lines).
Hunk #2 succeeded at 806 (offset 4 lines).
Hunk #3 succeeded at 2550 (offset 7 lines).
Hunk #4 succeeded at 2775 with fuzz 2 (offset 161 lines).
Hunk #5 succeeded at 2828 with fuzz 2 (offset 118 lines).
Hunk #6 succeeded at 3042 with fuzz 2 (offset 252 lines).
Hunk #7 succeeded at 3470 (offset -1 lines).
patching file src/http/ngx_http_request.h
Hunk #1 succeeded at 441 (offset 6 lines).
patching file src/http/ngx_http_request_body.c
Hunk #1 succeeded at 52 with fuzz 2 (offset 5 lines).
Hunk #2 succeeded at 531 with fuzz 2 (offset -52 lines).
patching file src/http/ngx_http_spdy.c
patching file src/http/ngx_http_spdy.h
patching file src/http/ngx_http_spdy_filter_module.c
patching file src/http/ngx_http_spdy_module.c
patching file src/http/ngx_http_spdy_module.h
patching file src/http/ngx_http_upstream.c
Hunk #1 succeeded at 493 (offset 12 lines).
Hunk #2 succeeded at 1187 (offset 25 lines).
     
    Last edited: Jun 22, 2016
    • Like Like x 1
  7. Jun 22, 2016 #7
    bassie

    bassie Active Member

    869
    203
    43
    Apr 29, 2016
    Ratings:
    +609
    Local Time:
    5:41 AM
    • Like Like x 1
    • Informative Informative x 1
  8. Jun 23, 2016 #8
    eva2000

    eva2000 Administrator Staff Member

    35,074
    7,742
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,941
    Local Time:
    1:41 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    n
    thanks that works !

    updated 123.09beta01 patch routine for this to use the other branch's updated patch from felix

    Code (Text):
    ######################################################################
Patching Nginx for HTTP/2 + SPDY Support
######################################################################
Cloudflare Nginx HTTP/2 + SPDY patch
https://github.com/felixbuenemann/sslconfig/blob/updated-nginx-1.9.15-spdy-patch/patches/nginx_1_9_15_http2_spdy.patch
######################################################################
2016-06-22 13:59:01 URL:https://raw.githubusercontent.com/felixbuenemann/sslconfig/updated-nginx-1.9.15-spdy-patch/patches/nginx_1_9_15_http2_spdy.patch [188655/188655] -> "nginx_1_9_15_http2_spdy.patch" [1]
patching file auto/modules
patching file auto/options
patching file src/core/ngx_connection.h
patching file src/http/modules/ngx_http_ssl_module.c
patching file src/http/ngx_http.c
Hunk #1 succeeded at 1223 (offset -6 lines).
Hunk #2 succeeded at 1261 (offset -28 lines).
Hunk #3 succeeded at 1298 (offset -28 lines).
Hunk #4 succeeded at 1344 (offset -28 lines).
Hunk #5 succeeded at 1849 (offset -27 lines).
Hunk #6 succeeded at 1917 (offset -27 lines).
patching file src/http/ngx_http.h
patching file src/http/ngx_http_core_module.c
Hunk #1 succeeded at 2138 (offset -2 lines).
Hunk #2 succeeded at 2489 (offset -2 lines).
patching file src/http/ngx_http_core_module.h
Hunk #1 succeeded at 71 (offset -11 lines).
Hunk #2 succeeded at 243 (offset -11 lines).
patching file src/http/ngx_http_request.c
Hunk #1 succeeded at 316 (offset 4 lines).
Hunk #2 succeeded at 806 (offset 4 lines).
Hunk #3 succeeded at 2550 (offset 4 lines).
Hunk #4 succeeded at 2775 (offset 4 lines).
Hunk #5 succeeded at 3460 (offset 8 lines).
patching file src/http/ngx_http_request.h
Hunk #1 succeeded at 441 (offset 2 lines).
patching file src/http/ngx_http_request_body.c
patching file src/http/ngx_http_spdy.c
patching file src/http/ngx_http_spdy.h
patching file src/http/ngx_http_spdy_filter_module.c
patching file src/http/ngx_http_spdy_module.c
patching file src/http/ngx_http_spdy_module.h
patching file src/http/ngx_http_upstream.c
Hunk #2 succeeded at 1187 (offset 3 lines).
patching file src/http/v2/ngx_http_v2_module.c
Hunk #1 succeeded at 34 (offset 1 line).
Hunk #2 succeeded at 120 (offset 10 lines).
Hunk #3 succeeded at 429 (offset 31 lines).


    test nginx ssl vhost config file relevant lines for spdy and http/2
    Code (Text):
    server {
  listen 443 ssl spdy http2;
  server_name domain1.com www.domain1.com;

  ssl_dhparam /usr/local/nginx/conf/ssl/domain1.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/domain1.com/domain1.com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/domain1.com/domain1.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

  http2_max_field_size 16k;
  http2_max_header_size 32k;
  # mozilla recommended
  ssl_ciphers EECDH+CHACHA20-draft:EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
  ssl_prefer_server_ciphers   on;
  add_header Alternate-Protocol  443:npn-spdy/3;

  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;
  spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;

    Code (Text):
    openssl s_client -connect domain1.com:443 -nextprotoneg '' | head -n3            
140690912221088:error:140920E3:SSL routines:SSL3_GET_SERVER_HELLO:parse tlsext:s3_clnt.c:1053:
CONNECTED(00000003)
Protocols advertised by server: h2, spdy/3.1, http/1.1
---
     
    Last edited: Jun 23, 2016
    • Like Like x 1
  9. Jun 23, 2016 #9
    bassie

    bassie Active Member

    869
    203
    43
    Apr 29, 2016
    Ratings:
    +609
    Local Time:
    5:41 AM
    Nice!
     
    • Like Like x 1
  10. Jun 23, 2016 #10
    Lil.Tee

    Lil.Tee New Member

    24
    1
    3
    Sep 11, 2015
    Ratings:
    +1
    Local Time:
    10:41 AM
    1.11.1
    MariaDB 10
    Thank you very much!! Awesome!!
     
  11. Jun 23, 2016 #11
    eva2000

    eva2000 Administrator Staff Member

    35,074
    7,742
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,941
    Local Time:
    1:41 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  12. Jun 23, 2016 #12
    eva2000

    eva2000 Administrator Staff Member

    35,074
    7,742
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,941
    Local Time:
    1:41 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Doing live testing of Centmin Mod 123.09beta01's Nginx 1.11.1 with HTTP/2 + SPDY patch at sslspdy.com
    Code (Text):
    echo QUIT | openssl s_client -connect sslspdy.com:443 -nextprotoneg ' ' 2>&1 | grep 'Protocols advertised'
Protocols advertised by server: h2, spdy/3.1, http/1.1

    is-http2 tool test
    Code (Text):
    is-http2 https://sslspdy.com
✓ HTTP/2 supported by https://sslspdy.com
Supported protocols: h2 spdy/3.1 http/1.1

    curl
    Code (Text):
    curl -Ivs https://sslspdy.com
* Rebuilt URL to: https://sslspdy.com/
*   Trying 192.184.89.66...
* Connected to sslspdy.com (192.184.89.66) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1

    nghttp2 client
    Code (Text):
     nghttp -nav https://sslspdy.com     
[  0.109] Connected
The negotiated protocol: h2
[  0.252] send SETTINGS frame <length=12, flags=0x00, stream_id=0>
          (niv=2)
          [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100]
          [SETTINGS_INITIAL_WINDOW_SIZE(0x04):65535]

    testssl test - notice the protocol's tested include spdy/3.1 and NPN and h2
    Code (Text):
    testssl https://sslspdy.com

###########################################################
    testssl       2.7dev from https://testssl.sh/dev/
    (1.502 2016/06/15 19:31:09)

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################
Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2)

SSLv2      not offered (OK)
SSLv3      not offered (OK)
TLS 1      offered
TLS 1.1    offered
TLS 1.2    offered (OK)
SPDY/NPN   h2, spdy/3.1, http/1.1 (advertised)
HTTP2/ALPN h2, spdy/3.1, http/1.1 (offered)

Testing ~standard cipher lists

Null Ciphers                 not offered (OK)
Anonymous NULL Ciphers       not offered (OK)
Anonymous DH Ciphers         not offered (OK)
40 Bit encryption            not offered (OK)
56 Bit encryption            not offered (OK)
Export Ciphers (general)     not offered (OK)
Low (<=64 Bit)               not offered (OK)
DES Ciphers                  not offered (OK)
Medium grade encryption      not offered (OK)
Triple DES Ciphers           not offered (OK)
High grade encryption        offered (OK)


Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption as well as 3DES and RC4 here

PFS is offered (OK)  ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA


Testing server preferences

Has server cipher order?     yes (OK)
Negotiated protocol          TLSv1.2
Negotiated cipher            OLD-ECDHE-ECDSA-CHACHA20-POLY1305, 256 bit ECDH
Cipher order
    TLSv1:     ECDHE-ECDSA-AES128-SHA
    TLSv1.1:   ECDHE-ECDSA-AES128-SHA
    TLSv1.2:   OLD-ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA
    h2:        OLD-ECDHE-ECDSA-CHACHA20-POLY1305
    spdy/3.1:  OLD-ECDHE-ECDSA-CHACHA20-POLY1305
    http/1.1:  OLD-ECDHE-ECDSA-CHACHA20-POLY1305


Testing server defaults (Server Hello)

TLS extensions (standard)    "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "status request/#5" "next protocol/#13172"
Session Tickets RFC 5077     600 seconds (PFS requires session ticket keys to be rotated <= daily)
SSL Session ID support       yes
TLS clock skew               random values, no fingerprinting possible
Signature Algorithm          ECDSA with SHA256
Server key size              ECDSA 256 bits
Fingerprint / Serial         SHA1 155AA462E9EBFC2C608D18AB83DD32C17245C89A / 6F2CECA22E73F3FFA5266435705B5390
                              SHA256 91A3930E8F38C7B1EBBC265953B8773E888544BD7C45F5A6927AF50D80D31C11
Common Name (CN)             "*.sslspdy.com" (wildcard certificate match) (works w/o SNI)
subjectAltName (SAN)         "*.sslspdy.com" "sslspdy.com"
Issuer                       "COMODO ECC Domain Validation Secure Server CA" ("COMODO CA Limited" from "GB")
EV cert (experimental)       no
Certificate Expiration       123 >= 60 days (2014-10-24 00:00 --> 2016-10-23 23:59 +0000)
# of certificates provided   3
Chain of trust (experim.)    "/usr/bin/etc/*.pem" cannot be found / not readable
Certificate Revocation List  http://crl.comodoca.com/COMODOECCDomainValidationSecureServerCA.crl
OCSP URI                     http://ocsp.comodoca.com
OCSP stapling                offered


Testing HTTP header response @ "/"

HTTP Status Code             200 OK
HTTP clock skew              -1464583848 sec from localtime
Strict Transport Security    365 days=31536000 s, includeSubDomains
Public Key Pinning           # of keys: 2, 604800 s = 7 days (<30 days is not good enough), includeSubDomains
                              matching host key: QYBZo54E74EGPmprgubrqe39L01K0kkNQBfJ6hRFUyE
Server banner                nginx centminmod
Application banner           X-Powered-By: centminmod
Cookie(s)                    (none issued at "/")
Security headers             --
Reverse Proxy banner         --


Testing vulnerabilities

Heartbleed (CVE-2014-0160)                not vulnerable (OK) (no heartbeat extension)
CCS (CVE-2014-0224)                       not vulnerable (OK)
Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
Secure Client-Initiated Renegotiation     not vulnerable (OK)
CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
BREACH (CVE-2013-3587)                    potentially NOT ok, uses gzip HTTP compression. - only supplied "/" tested
                                           Can be ignored for static pages or if no secrets in the page
POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
TLS_FALLBACK_SCSV (RFC 7507), experim.    Downgrade attack prevention supported (OK)
FREAK (CVE-2015-0204)                     not vulnerable (OK)
DROWN (2016-0800, CVE-2016-0703), exper.  not vulnerable on this port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                           https://censys.io/ipv4?q=91A3930E8F38C7B1EBBC265953B8773E888544BD7C45F5A6927AF50D80D31C11 could help you to find out
LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK), common primes not checked. See below for any DH ciphers + bit size
BEAST (CVE-2011-3389)                     TLS1: ECDHE-ECDSA-AES128-SHA
                                           VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


Testing all 183 locally available ciphers against the server, ordered by encryption strength

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.  Encryption Bits
------------------------------------------------------------------------
xcc14   OLD-ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 256   ChaCha20  256     
xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 256   AESGCM    256     
xc024   ECDHE-ECDSA-AES256-SHA384         ECDH 256   AES       256     
xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 256   AESGCM    128     
xc023   ECDHE-ECDSA-AES128-SHA256         ECDH 256   AES       128     
xc009   ECDHE-ECDSA-AES128-SHA            ECDH 256   AES       128     


Running browser simulations (experimental)

Android 2.3.7                 No connection
Android 4.0.4                 TLSv1 ECDHE-ECDSA-AES128-SHA
Android 4.1.1                 TLSv1 ECDHE-ECDSA-AES128-SHA
Android 4.2.2                 TLSv1 ECDHE-ECDSA-AES128-SHA
Android 4.3                   TLSv1.0 ECDHE-ECDSA-AES128-SHA
Android 4.4.2                 TLSv1.1 ECDHE-ECDSA-AES128-SHA
Android 5.0.0                 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
Baidu Jan 2015                TLSv1 ECDHE-ECDSA-AES128-SHA
BingPreview Jan 2015          TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
Chrome 47 / OSX               TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
Firefox 31.3.0ESR / Win7      TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
Firefox 42 / OSX              TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
GoogleBot Feb 2015            TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
IE6 / XP                      No connection
IE7 / Vista                   TLSv1.0 ECDHE-ECDSA-AES128-SHA
IE8 / XP                      No connection
IE8-10 / Win7                 TLSv1.0 ECDHE-ECDSA-AES128-SHA
IE11 / Win7                   TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
IE11 / Win8.1                 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
IE10 / Win Phone 8.0          TLSv1.0 ECDHE-ECDSA-AES128-SHA
IE11 / Win Phone 8.1          TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
IE11 / Win Phone 8.1 Update   TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
IE11 / Win10                  TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
Edge 13 / Win10               TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
Edge 12 / Win Phone 10        TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
Java 6u45                     No connection
Java 7u25                     TLSv1 ECDHE-ECDSA-AES128-SHA
Java 8u31                     TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
OpenSSL 0.9.8y                No connection
OpenSSL 1.0.1l                TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
OpenSSL 1.0.2e                TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
Safari 5.1.9/ OSX 10.6.8      TLSv1 ECDHE-ECDSA-AES128-SHA
Safari 6 / iOS 6.0.1          TLSv1.2 ECDHE-ECDSA-AES128-SHA256
Safari 6.0.4/ OS X 10.8.4     TLSv1 ECDHE-ECDSA-AES128-SHA
Safari 7 / iOS 7.1            TLSv1.2 ECDHE-ECDSA-AES128-SHA256
Safari 7 / OS X 10.9          TLSv1.2 ECDHE-ECDSA-AES128-SHA256
Safari 8 / iOS 8.4            TLSv1.2 ECDHE-ECDSA-AES128-SHA256
Safari 8 / OS X 10.10         TLSv1.2 ECDHE-ECDSA-AES128-SHA256
Safari 9 / iOS 9              TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
Safari 9 / OS X 10.11         TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384

    SSLLabs test reports NPN and SPDY/3.1 support + ALPN and HTTP/2 support

    sslspdycom-spdy-http2-patch-ssllabs-01.png
    sslspdycom-spdy-http2-patch-ssllabs-02.png
     
    Last edited: Jun 23, 2016
  13. Jan 9, 2018 #13
    rdan

    rdan Premium Member Premium Member

    4,227
    1,028
    113
    May 25, 2014
    Ratings:
    +1,469
    Local Time:
    11:41 AM
    Mainline
    10.2
  14. Jan 9, 2018 #14
    eva2000

    eva2000 Administrator Staff Member

    35,074
    7,742
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,941
    Local Time:
    1:41 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    This patch no long useful as browsers have deprecated spdy so consider it disabled

    also currently sslspdy site server had to be reinstalled so hasn't been setup with HTTPS
     
    • Like Like x 1
Previous Thread Next Thread
Loading...
..

.