Join the community today
Register Now

Beta Branch add NGINX_SPDYPATCHED variable support 123.09beta01

Discussion in 'Centmin Mod Github Commits' started by eva2000, Jun 22, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    55,797
    12,271
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,857
    Local Time:
    5:23 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    add NGINX_SPDYPATCHED variable support 123.09beta01

    Disabled by default with NGINX_SPDYPATCHED='n'. Experimental HTTP/2 + SPDY Cloudflare Nginx patch support as outlined at https://blog.cloudflare.com/open-sourcing-our-nginx-http-2-spdy-code/ and discussed https://community.centminmod.com/threads/http-2-spdy-patch-for-nginx-1-10-nginx-1-11.7516/. Nginx patch made for Nginx 1.9.7 so no guarantees it works on Nginx 1.11.1.


    To enable patch set in persistent config file you create or append at /etc/centminmod/custom_config.inc the variable
    Code (Text):
    NGINX_SPDYPATCHED='y'
    

    Then centmin.sh menu option 4 to recompile Nginx 1.11.1 or higher. Then double check your nginx vhost config files that listen option line contains both spdy and http2 flags.

    To disable patch comment out the line or set in /etc/centminmod/custom_config.inc
    Code (Text):
    NGINX_SPDYPATCHED='n'
    

    Then centmin.sh menu option 4 to recompile Nginx 1.11.1 or higher. Then double check your nginx vhost config files that listen option line contains only http2 flags.

    Note there's no guarantee this works on subsequent Nginx 1.11.1+ version updates and may break which maybe problematic if newer Nginx versions involve security updates you want to update for.

    Continue reading...

    123.09beta01 branch
     
  2. eva2000

    eva2000 Administrator Staff Member

    55,797
    12,271
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,857
    Local Time:
    5:23 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI doesn't work = broken so don't try !
    Code (Text):
            -o objs/src/http/modules/ngx_http_ssl_module.o \
            src/http/modules/ngx_http_ssl_module.c
    src/http/modules/ngx_http_ssl_module.c:445:5: error: expected statement
        }
        ^
    1 error generated.
    make[1]: *** [objs/src/http/modules/ngx_http_ssl_module.o] Error 1
    make[1]: Leaving directory `/svr-setup/nginx-1.11.1'
    make: *** [install] Error 2
    
     
  3. buik

    buik “The best traveler is one without a camera.”

    2,043
    527
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,690
    Local Time:
    9:23 PM
    Use the Felix patch and you will be fine.
     
  4. eva2000

    eva2000 Administrator Staff Member

    55,797
    12,271
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,857
    Local Time:
    5:23 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Just tried fails at same place !

    Code (Text):
    ######################################################################
    Patching Nginx for HTTP/2 + SPDY Support
    ######################################################################
    Cloudflare Nginx HTTP/2 + SPDY patch
    https://github.com/felixbuenemann/sslconfig/raw/master/patches/nginx__http2_spdy.patch
    ######################################################################
    2016-06-22 13:16:54 URL:https://raw.githubusercontent.com/felixbuenemann/sslconfig/master/patches/nginx__http2_spdy.patch [186213/186213] -> "nginx__http2_spdy.patch" [1]
    patching file auto/modules
    Hunk #1 succeeded at 139 (offset 44 lines).
    Hunk #2 FAILED at 120.
    Hunk #3 FAILED at 189.
    2 out of 3 hunks FAILED -- saving rejects to file auto/modules.rej
    patching file auto/options
    Hunk #1 succeeded at 60 (offset 1 line).
    Hunk #2 succeeded at 220 (offset 8 lines).
    Hunk #3 succeeded at 400 (offset 19 lines).
    patching file auto/sources
    Hunk #1 succeeded at 249 with fuzz 2 (offset -80 lines).
    patching file src/core/ngx_connection.h
    Hunk #1 succeeded at 120 (offset 1 line).
    patching file src/http/modules/ngx_http_ssl_module.c
    Hunk #2 succeeded at 343 (offset 1 line).
    Hunk #3 succeeded at 364 (offset 1 line).
    Hunk #4 succeeded at 398 (offset 1 line).
    patching file src/http/ngx_http.c
    Hunk #1 succeeded at 1223 (offset -13 lines).
    Hunk #2 succeeded at 1261 (offset -35 lines).
    Hunk #3 succeeded at 1298 (offset -35 lines).
    Hunk #4 succeeded at 1344 (offset -35 lines).
    Hunk #5 succeeded at 1849 (offset -34 lines).
    Hunk #6 succeeded at 1952 with fuzz 2 (offset 1 line).
    patching file src/http/ngx_http.h
    patching file src/http/ngx_http_core_module.c
    Hunk #1 succeeded at 2138 (offset 6 lines).
    Hunk #2 succeeded at 2489 (offset 6 lines).
    Hunk #3 succeeded at 4229 (offset 10 lines).
    patching file src/http/ngx_http_core_module.h
    Hunk #1 succeeded at 71 (offset -11 lines).
    Hunk #2 succeeded at 243 (offset -11 lines).
    patching file src/http/ngx_http_request.c
    Hunk #1 succeeded at 316 (offset 4 lines).
    Hunk #2 succeeded at 806 (offset 4 lines).
    Hunk #3 succeeded at 2550 (offset 7 lines).
    Hunk #4 succeeded at 2775 with fuzz 2 (offset 161 lines).
    Hunk #5 succeeded at 2828 with fuzz 2 (offset 118 lines).
    Hunk #6 succeeded at 3042 with fuzz 2 (offset 252 lines).
    Hunk #7 succeeded at 3470 (offset -1 lines).
    patching file src/http/ngx_http_request.h
    Hunk #1 succeeded at 441 (offset 6 lines).
    patching file src/http/ngx_http_request_body.c
    Hunk #1 succeeded at 52 with fuzz 2 (offset 5 lines).
    Hunk #2 succeeded at 531 with fuzz 2 (offset -52 lines).
    patching file src/http/ngx_http_spdy.c
    patching file src/http/ngx_http_spdy.h
    patching file src/http/ngx_http_spdy_filter_module.c
    patching file src/http/ngx_http_spdy_module.c
    patching file src/http/ngx_http_spdy_module.h
    patching file src/http/ngx_http_upstream.c
    Hunk #1 succeeded at 493 (offset 12 lines).
    Hunk #2 succeeded at 1187 (offset 25 lines).


     
    Last edited: Jun 22, 2016
  5. buik

    buik “The best traveler is one without a camera.”

    2,043
    527
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,690
    Local Time:
    9:23 PM
    Weird, working fine here since 26 days now with both 1.10 and 1.11.
    Did you compile it against a clean Nginx?
    Could be a 3th party plugin.
     
  6. eva2000

    eva2000 Administrator Staff Member

    55,797
    12,271
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,857
    Local Time:
    5:23 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yeah did try on nginx clean, could be 3rd party who knows.. will try again later

    line 445 is related to the middle line of src/http/modules/ngx_http_ssl_module.c
    Code (Text):
    #if (NGX_HTTP_V2 || NGX_HTTP_SPDY)
        }
    #endif
    

    Patch basically didn't cleanly update the right lines
    upload_2016-6-22_23-38-0.png
    Code (Text):
    ######################################################################
    Patching Nginx for HTTP/2 + SPDY Support
    ######################################################################
    Cloudflare Nginx HTTP/2 + SPDY patch
    https://github.com/felixbuenemann/sslconfig/raw/master/patches/nginx__http2_spdy.patch
    ######################################################################
    2016-06-22 13:32:43 URL:https://raw.githubusercontent.com/felixbuenemann/sslconfig/master/patches/nginx__http2_spdy.patch [186213/186213] -> "nginx__http2_spdy.patch" [1]
    patching file auto/modules
    Hunk #1 succeeded at 139 (offset 44 lines).
    Hunk #2 FAILED at 120.
    Hunk #3 FAILED at 189.
    2 out of 3 hunks FAILED -- saving rejects to file auto/modules.rej
    patching file auto/options
    Hunk #1 succeeded at 60 (offset 1 line).
    Hunk #2 succeeded at 220 (offset 8 lines).
    Hunk #3 succeeded at 400 (offset 19 lines).
    patching file auto/sources
    Hunk #1 succeeded at 249 with fuzz 2 (offset -80 lines).
    patching file src/core/ngx_connection.h
    Hunk #1 succeeded at 120 (offset 1 line).
    patching file src/http/modules/ngx_http_ssl_module.c
    Hunk #2 succeeded at 343 (offset 1 line).
    Hunk #3 succeeded at 364 (offset 1 line).
    Hunk #4 succeeded at 398 (offset 1 line).
    patching file src/http/ngx_http.c
    Hunk #1 succeeded at 1223 (offset -13 lines).
    Hunk #2 succeeded at 1261 (offset -35 lines).
    Hunk #3 succeeded at 1298 (offset -35 lines).
    Hunk #4 succeeded at 1344 (offset -35 lines).
    Hunk #5 succeeded at 1849 (offset -34 lines).
    Hunk #6 succeeded at 1952 with fuzz 2 (offset 1 line).
    patching file src/http/ngx_http.h
    patching file src/http/ngx_http_core_module.c
    Hunk #1 succeeded at 2138 (offset 6 lines).
    Hunk #2 succeeded at 2489 (offset 6 lines).
    Hunk #3 succeeded at 4229 (offset 10 lines).
    patching file src/http/ngx_http_core_module.h
    Hunk #1 succeeded at 71 (offset -11 lines).
    Hunk #2 succeeded at 243 (offset -11 lines).
    patching file src/http/ngx_http_request.c
    Hunk #1 succeeded at 316 (offset 4 lines).
    Hunk #2 succeeded at 806 (offset 4 lines).
    Hunk #3 succeeded at 2550 (offset 7 lines).
    Hunk #4 succeeded at 2775 with fuzz 2 (offset 161 lines).
    Hunk #5 succeeded at 2828 with fuzz 2 (offset 118 lines).
    Hunk #6 succeeded at 3042 with fuzz 2 (offset 252 lines).
    Hunk #7 succeeded at 3470 (offset -1 lines).
    patching file src/http/ngx_http_request.h
    Hunk #1 succeeded at 441 (offset 6 lines).
    patching file src/http/ngx_http_request_body.c
    Hunk #1 succeeded at 52 with fuzz 2 (offset 5 lines).
    Hunk #2 succeeded at 531 with fuzz 2 (offset -52 lines).
    patching file src/http/ngx_http_spdy.c
    patching file src/http/ngx_http_spdy.h
    patching file src/http/ngx_http_spdy_filter_module.c
    patching file src/http/ngx_http_spdy_module.c
    patching file src/http/ngx_http_spdy_module.h
    patching file src/http/ngx_http_upstream.c
    Hunk #1 succeeded at 493 (offset 12 lines).
    Hunk #2 succeeded at 1187 (offset 25 lines).
     
    Last edited: Jun 22, 2016
  7. buik

    buik “The best traveler is one without a camera.”

    2,043
    527
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,690
    Local Time:
    9:23 PM
  8. eva2000

    eva2000 Administrator Staff Member

    55,797
    12,271
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,857
    Local Time:
    5:23 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    n
    thanks that works !

    updated 123.09beta01 patch routine for this to use the other branch's updated patch from felix

    Code (Text):
    ######################################################################
    Patching Nginx for HTTP/2 + SPDY Support
    ######################################################################
    Cloudflare Nginx HTTP/2 + SPDY patch
    https://github.com/felixbuenemann/sslconfig/blob/updated-nginx-1.9.15-spdy-patch/patches/nginx_1_9_15_http2_spdy.patch
    ######################################################################
    2016-06-22 13:59:01 URL:https://raw.githubusercontent.com/felixbuenemann/sslconfig/updated-nginx-1.9.15-spdy-patch/patches/nginx_1_9_15_http2_spdy.patch [188655/188655] -> "nginx_1_9_15_http2_spdy.patch" [1]
    patching file auto/modules
    patching file auto/options
    patching file src/core/ngx_connection.h
    patching file src/http/modules/ngx_http_ssl_module.c
    patching file src/http/ngx_http.c
    Hunk #1 succeeded at 1223 (offset -6 lines).
    Hunk #2 succeeded at 1261 (offset -28 lines).
    Hunk #3 succeeded at 1298 (offset -28 lines).
    Hunk #4 succeeded at 1344 (offset -28 lines).
    Hunk #5 succeeded at 1849 (offset -27 lines).
    Hunk #6 succeeded at 1917 (offset -27 lines).
    patching file src/http/ngx_http.h
    patching file src/http/ngx_http_core_module.c
    Hunk #1 succeeded at 2138 (offset -2 lines).
    Hunk #2 succeeded at 2489 (offset -2 lines).
    patching file src/http/ngx_http_core_module.h
    Hunk #1 succeeded at 71 (offset -11 lines).
    Hunk #2 succeeded at 243 (offset -11 lines).
    patching file src/http/ngx_http_request.c
    Hunk #1 succeeded at 316 (offset 4 lines).
    Hunk #2 succeeded at 806 (offset 4 lines).
    Hunk #3 succeeded at 2550 (offset 4 lines).
    Hunk #4 succeeded at 2775 (offset 4 lines).
    Hunk #5 succeeded at 3460 (offset 8 lines).
    patching file src/http/ngx_http_request.h
    Hunk #1 succeeded at 441 (offset 2 lines).
    patching file src/http/ngx_http_request_body.c
    patching file src/http/ngx_http_spdy.c
    patching file src/http/ngx_http_spdy.h
    patching file src/http/ngx_http_spdy_filter_module.c
    patching file src/http/ngx_http_spdy_module.c
    patching file src/http/ngx_http_spdy_module.h
    patching file src/http/ngx_http_upstream.c
    Hunk #2 succeeded at 1187 (offset 3 lines).
    patching file src/http/v2/ngx_http_v2_module.c
    Hunk #1 succeeded at 34 (offset 1 line).
    Hunk #2 succeeded at 120 (offset 10 lines).
    Hunk #3 succeeded at 429 (offset 31 lines).
    


    test nginx ssl vhost config file relevant lines for spdy and http/2
    Code (Text):
    server {
      listen 443 ssl spdy http2;
      server_name domain1.com www.domain1.com;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/domain1.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/domain1.com/domain1.com.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain1.com/domain1.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers EECDH+CHACHA20-draft:EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      add_header Alternate-Protocol  443:npn-spdy/3;
    
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;

    Code (Text):
    openssl s_client -connect domain1.com:443 -nextprotoneg '' | head -n3            
    140690912221088:error:140920E3:SSL routines:SSL3_GET_SERVER_HELLO:parse tlsext:s3_clnt.c:1053:
    CONNECTED(00000003)
    Protocols advertised by server: h2, spdy/3.1, http/1.1
    ---
    
     
    Last edited: Jun 23, 2016
  9. buik

    buik “The best traveler is one without a camera.”

    2,043
    527
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,690
    Local Time:
    9:23 PM
    Nice!
     
  10. Lil.Tee

    Lil.Tee New Member

    24
    1
    3
    Sep 11, 2015
    Ratings:
    +1
    Local Time:
    2:23 AM
    1.11.1
    MariaDB 10
    Thank you very much!! Awesome!!
     
  11. eva2000

    eva2000 Administrator Staff Member

    55,797
    12,271
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,857
    Local Time:
    5:23 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  12. eva2000

    eva2000 Administrator Staff Member

    55,797
    12,271
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,857
    Local Time:
    5:23 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Doing live testing of Centmin Mod 123.09beta01's Nginx 1.11.1 with HTTP/2 + SPDY patch at sslspdy.com
    Code (Text):
    echo QUIT | openssl s_client -connect sslspdy.com:443 -nextprotoneg ' ' 2>&1 | grep 'Protocols advertised'
    Protocols advertised by server: h2, spdy/3.1, http/1.1

    is-http2 tool test
    Code (Text):
    is-http2 https://sslspdy.com
    ✓ HTTP/2 supported by https://sslspdy.com
    Supported protocols: h2 spdy/3.1 http/1.1
    

    curl
    Code (Text):
    curl -Ivs https://sslspdy.com
    * Rebuilt URL to: https://sslspdy.com/
    *   Trying 192.184.89.66...
    * Connected to sslspdy.com (192.184.89.66) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    

    nghttp2 client
    Code (Text):
     nghttp -nav https://sslspdy.com     
    [  0.109] Connected
    The negotiated protocol: h2
    [  0.252] send SETTINGS frame <length=12, flags=0x00, stream_id=0>
              (niv=2)
              [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100]
              [SETTINGS_INITIAL_WINDOW_SIZE(0x04):65535]

    testssl test - notice the protocol's tested include spdy/3.1 and NPN and h2
    Code (Text):
    testssl https://sslspdy.com
    
    ###########################################################
        testssl       2.7dev from https://testssl.sh/dev/
        (1.502 2016/06/15 19:31:09)
    
          This program is free software. Distribution and
                 modification under GPLv2 permitted.
          USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
    
           Please file bugs @ https://testssl.sh/bugs/
    
    ###########################################################
    Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2)
    
    SSLv2      not offered (OK)
    SSLv3      not offered (OK)
    TLS 1      offered
    TLS 1.1    offered
    TLS 1.2    offered (OK)
    SPDY/NPN   h2, spdy/3.1, http/1.1 (advertised)
    HTTP2/ALPN h2, spdy/3.1, http/1.1 (offered)
    
    Testing ~standard cipher lists
    
    Null Ciphers                 not offered (OK)
    Anonymous NULL Ciphers       not offered (OK)
    Anonymous DH Ciphers         not offered (OK)
    40 Bit encryption            not offered (OK)
    56 Bit encryption            not offered (OK)
    Export Ciphers (general)     not offered (OK)
    Low (<=64 Bit)               not offered (OK)
    DES Ciphers                  not offered (OK)
    Medium grade encryption      not offered (OK)
    Triple DES Ciphers           not offered (OK)
    High grade encryption        offered (OK)
    
    
    Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption as well as 3DES and RC4 here
    
    PFS is offered (OK)  ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA
    
    
    Testing server preferences
    
    Has server cipher order?     yes (OK)
    Negotiated protocol          TLSv1.2
    Negotiated cipher            OLD-ECDHE-ECDSA-CHACHA20-POLY1305, 256 bit ECDH
    Cipher order
        TLSv1:     ECDHE-ECDSA-AES128-SHA
        TLSv1.1:   ECDHE-ECDSA-AES128-SHA
        TLSv1.2:   OLD-ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA
        h2:        OLD-ECDHE-ECDSA-CHACHA20-POLY1305
        spdy/3.1:  OLD-ECDHE-ECDSA-CHACHA20-POLY1305
        http/1.1:  OLD-ECDHE-ECDSA-CHACHA20-POLY1305
    
    
    Testing server defaults (Server Hello)
    
    TLS extensions (standard)    "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "status request/#5" "next protocol/#13172"
    Session Tickets RFC 5077     600 seconds (PFS requires session ticket keys to be rotated <= daily)
    SSL Session ID support       yes
    TLS clock skew               random values, no fingerprinting possible
    Signature Algorithm          ECDSA with SHA256
    Server key size              ECDSA 256 bits
    Fingerprint / Serial         SHA1 155AA462E9EBFC2C608D18AB83DD32C17245C89A / 6F2CECA22E73F3FFA5266435705B5390
                                  SHA256 91A3930E8F38C7B1EBBC265953B8773E888544BD7C45F5A6927AF50D80D31C11
    Common Name (CN)             "*.sslspdy.com" (wildcard certificate match) (works w/o SNI)
    subjectAltName (SAN)         "*.sslspdy.com" "sslspdy.com"
    Issuer                       "COMODO ECC Domain Validation Secure Server CA" ("COMODO CA Limited" from "GB")
    EV cert (experimental)       no
    Certificate Expiration       123 >= 60 days (2014-10-24 00:00 --> 2016-10-23 23:59 +0000)
    # of certificates provided   3
    Chain of trust (experim.)    "/usr/bin/etc/*.pem" cannot be found / not readable
    Certificate Revocation List  http://crl.comodoca.com/COMODOECCDomainValidationSecureServerCA.crl
    OCSP URI                     http://ocsp.comodoca.com
    OCSP stapling                offered
    
    
    Testing HTTP header response @ "/"
    
    HTTP Status Code             200 OK
    HTTP clock skew              -1464583848 sec from localtime
    Strict Transport Security    365 days=31536000 s, includeSubDomains
    Public Key Pinning           # of keys: 2, 604800 s = 7 days (<30 days is not good enough), includeSubDomains
                                  matching host key: QYBZo54E74EGPmprgubrqe39L01K0kkNQBfJ6hRFUyE
    Server banner                nginx centminmod
    Application banner           X-Powered-By: centminmod
    Cookie(s)                    (none issued at "/")
    Security headers             --
    Reverse Proxy banner         --
    
    
    Testing vulnerabilities
    
    Heartbleed (CVE-2014-0160)                not vulnerable (OK) (no heartbeat extension)
    CCS (CVE-2014-0224)                       not vulnerable (OK)
    Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
    Secure Client-Initiated Renegotiation     not vulnerable (OK)
    CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
    BREACH (CVE-2013-3587)                    potentially NOT ok, uses gzip HTTP compression. - only supplied "/" tested
                                               Can be ignored for static pages or if no secrets in the page
    POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
    TLS_FALLBACK_SCSV (RFC 7507), experim.    Downgrade attack prevention supported (OK)
    FREAK (CVE-2015-0204)                     not vulnerable (OK)
    DROWN (2016-0800, CVE-2016-0703), exper.  not vulnerable on this port (OK)
                                               make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                               https://censys.io/ipv4?q=91A3930E8F38C7B1EBBC265953B8773E888544BD7C45F5A6927AF50D80D31C11 could help you to find out
    LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK), common primes not checked. See below for any DH ciphers + bit size
    BEAST (CVE-2011-3389)                     TLS1: ECDHE-ECDSA-AES128-SHA
                                               VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
    RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)
    
    
    Testing all 183 locally available ciphers against the server, ordered by encryption strength
    
    Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.  Encryption Bits
    ------------------------------------------------------------------------
    xcc14   OLD-ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 256   ChaCha20  256     
    xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 256   AESGCM    256     
    xc024   ECDHE-ECDSA-AES256-SHA384         ECDH 256   AES       256     
    xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 256   AESGCM    128     
    xc023   ECDHE-ECDSA-AES128-SHA256         ECDH 256   AES       128     
    xc009   ECDHE-ECDSA-AES128-SHA            ECDH 256   AES       128     
    
    
    Running browser simulations (experimental)
    
    Android 2.3.7                 No connection
    Android 4.0.4                 TLSv1 ECDHE-ECDSA-AES128-SHA
    Android 4.1.1                 TLSv1 ECDHE-ECDSA-AES128-SHA
    Android 4.2.2                 TLSv1 ECDHE-ECDSA-AES128-SHA
    Android 4.3                   TLSv1.0 ECDHE-ECDSA-AES128-SHA
    Android 4.4.2                 TLSv1.1 ECDHE-ECDSA-AES128-SHA
    Android 5.0.0                 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
    Baidu Jan 2015                TLSv1 ECDHE-ECDSA-AES128-SHA
    BingPreview Jan 2015          TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    Chrome 47 / OSX               TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
    Firefox 31.3.0ESR / Win7      TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
    Firefox 42 / OSX              TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
    GoogleBot Feb 2015            TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
    IE6 / XP                      No connection
    IE7 / Vista                   TLSv1.0 ECDHE-ECDSA-AES128-SHA
    IE8 / XP                      No connection
    IE8-10 / Win7                 TLSv1.0 ECDHE-ECDSA-AES128-SHA
    IE11 / Win7                   TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    IE11 / Win8.1                 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    IE10 / Win Phone 8.0          TLSv1.0 ECDHE-ECDSA-AES128-SHA
    IE11 / Win Phone 8.1          TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    IE11 / Win Phone 8.1 Update   TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    IE11 / Win10                  TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    Edge 13 / Win10               TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    Edge 12 / Win Phone 10        TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    Java 6u45                     No connection
    Java 7u25                     TLSv1 ECDHE-ECDSA-AES128-SHA
    Java 8u31                     TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
    OpenSSL 0.9.8y                No connection
    OpenSSL 1.0.1l                TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    OpenSSL 1.0.2e                TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    Safari 5.1.9/ OSX 10.6.8      TLSv1 ECDHE-ECDSA-AES128-SHA
    Safari 6 / iOS 6.0.1          TLSv1.2 ECDHE-ECDSA-AES128-SHA256
    Safari 6.0.4/ OS X 10.8.4     TLSv1 ECDHE-ECDSA-AES128-SHA
    Safari 7 / iOS 7.1            TLSv1.2 ECDHE-ECDSA-AES128-SHA256
    Safari 7 / OS X 10.9          TLSv1.2 ECDHE-ECDSA-AES128-SHA256
    Safari 8 / iOS 8.4            TLSv1.2 ECDHE-ECDSA-AES128-SHA256
    Safari 8 / OS X 10.10         TLSv1.2 ECDHE-ECDSA-AES128-SHA256
    Safari 9 / iOS 9              TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    Safari 9 / OS X 10.11         TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    

    SSLLabs test reports NPN and SPDY/3.1 support + ALPN and HTTP/2 support

    sslspdycom-spdy-http2-patch-ssllabs-01.png
    sslspdycom-spdy-http2-patch-ssllabs-02.png
     
    Last edited: Jun 23, 2016
  13. rdan

    rdan Well-Known Member

    5,451
    1,412
    113
    May 25, 2014
    Ratings:
    +2,206
    Local Time:
    3:23 AM
    Mainline
    10.2
  14. eva2000

    eva2000 Administrator Staff Member

    55,797
    12,271
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,857
    Local Time:
    5:23 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    This patch no long useful as browsers have deprecated spdy so consider it disabled

    also currently sslspdy site server had to be reinstalled so hasn't been setup with HTTPS