Learn about Centmin Mod LEMP Stack today
Register Now

Master Branch add optional OpenSSL 1.1.0g patch for Cloudflare Equal Cipher Prefere…

Discussion in 'Centmin Mod Github Commits' started by eva2000, Jan 9, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    33,655
    7,451
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,455
    Local Time:
    1:58 AM
    Nginx 1.13.x
    MariaDB 5.5
    add optional OpenSSL 1.1.0g patch for Cloudflare Equal Cipher Preference Groups

    - for 64bit systems only as alot of Cloudflare patches only work on 64bit cpus
    - when Nginx is recompiled via centmin.sh menu option 4 with prior persistent config file /etc/centminmod/custom_config.inc set variables, LIBRESSL_SWITCH='y', OPENSSLEQUALCIPHER_PATCH='y' and OpenSSL version used is 1.1.0g, then OpenSSL 1.1.0g is patched for Cloudflare backported Equal Cipher Preference Groups patch which originally is a BoringSSL feature not available in OpenSSL. Details https://community.centminmod.com/threads/patch-openssl-1-1-equal-preference-groups-of-cipher-suites.12224/
    - this patch allows a server to prefer one of AES-GCM or ChaCha20 ciphers, but to allow the client to pick which one. When coupled with clients that will boost AES-GCM in their references when AES-NI is present, this allows us to use AES-GCM when the hardware exists and ChaCha20 otherwise.
    - with this patch enabled, you need to change your Nginx HTTPS vhost config file's ssl_ciphers to the following:

    Code (Text):
    ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES';
    


    Continue reading...

    Centmin Mod Github Master branch

    Master branch is where most recent commits are made as at May 24, 2015.
     
..