Discover Centmin Mod today
Register Now

Beta Branch add optional OpenSSL 1.1.0g patch for Cloudflare Equal Cipher Prefere…

Discussion in 'Centmin Mod Github Commits' started by eva2000, Jan 6, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    4:30 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    add optional OpenSSL 1.1.0g patch for Cloudflare Equal Cipher Preference Groups

    - for 64bit systems only as alot of Cloudflare patches only work on 64bit cpus
    - when Nginx is recompiled via centmin.sh menu option 4 with prior persistent config file /etc/centminmod/custom_config.inc set variables, LIBRESSL_SWITCH='y', OPENSSLEQUALCIPHER_PATCH='y' and OpenSSL version used is 1.1.0g, then OpenSSL 1.1.0g is patched for Cloudflare backported Equal Cipher Preference Groups patch which originally is a BoringSSL feature not available in OpenSSL. Details OpenSSL - [PATCH] OpenSSL 1.1 Equal-preference groups of cipher suites
    - this patch allows a server to prefer one of AES-GCM or ChaCha20 ciphers, but to allow the client to pick which one. When coupled with clients that will boost AES-GCM in their references when AES-NI is present, this allows us to use AES-GCM when the hardware exists and ChaCha20 otherwise.
    - with this patch enabled, you need to change your Nginx HTTPS vhost config file's ssl_ciphers to the following:

    Code (Text):
    ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES';
    


    Continue reading...

    123.09beta01 branch
     
..