Welcome to Centmin Mod Community
Become a Member

SSL BoringSSL vs OpenSSL

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Aug 21, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    53,461
    12,128
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,668
    Local Time:
    11:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    BoringSSL is Google's forked version of OpenSSL cryptographic library and BoringSSL is used in all Google web site products' TLS stacks since June 2014 - including Google Android OS and Google Chrome. You can find Google's original BoringSSL introduction dating back to October, 2015 at ImperialViolet - BoringSSL. Latest Centmin Mod 123.09beta01's Nginx now supports BoringSSL crypto library along with LibreSSL and OpenSSL


    As it relates to Nginx HTTPS, BoringSSL doesn't support OCSP stapling like OpenSSL. But there are other differences that you can read up on for BoringSSL & OCSP via following links
    If folks have more info and/or links to other BoringSSL vs OpenSSL articles, please share them in this thread as well :)
     
    Last edited: Aug 21, 2018
  2. buik

    buik “The best traveler is one without a camera.”

    1,999
    519
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,649
    Local Time:
    3:59 AM
    OCSP stapling is useful when you need to handle billions of website visits just like Cloudflare. Then you profit with every half percent and every percent counts.

    But for normal website administrators like us. It has little effect.
    Just like all other performance patches form Cloudflare.
    It is nice to have but only profitable with millions of visitors.

    I don't get a website faster than 0.2 / 0.3 s.
    OCSP stapling or no OCSP stapling, Cloudflare patches or no Cloudflare patches.
    The biggest bottleneck is the visitor's internet connection.

    You don't just change something about that.
     
    Last edited: Aug 22, 2018
  3. eva2000

    eva2000 Administrator Staff Member

    53,461
    12,128
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,668
    Local Time:
    11:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Have you tested on slow 2G and slow 3G mobile connections the effects of no OCSP stapling yet on page load speeds ? That's where you probably will get 0.2s to 0.3s faster page loads which is quite a bit for target 2-3 seconds idea slow 3G pagespeed metric. But depends on speed of OCSP responding server run by SSL certificate provider Certificate Authority (CA) i.e. Letsencrypt OCSP servers.

    FYI, Letsencrypt has one of the fastest OCSP servers around for CA providers running on Akamai network = OCSP sites ordered by failures. Sorted by speed Letsencrypt is around 8th fastest (minus first 6 failed ones) = OCSP sites ordered by average total http time

    Top 20 fastest OCSP responders

    upload_2018-8-22_3-29-44.png

    Now that Centmin Mod Nginx has BoringSSL support working, I will be doing page load speed tests for such as well :)
     
    Last edited: Aug 22, 2018
  4. buik

    buik “The best traveler is one without a camera.”

    1,999
    519
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,649
    Local Time:
    3:59 AM
    Not tested and not necessary in the way a site does not go faster than maximum 0.2/0.3 sec. There are no slow 2G and 3G connections here in the country (tested on visitors with New Relic). Moreover. 4G compatible device is required for mobile subscriptions over here.
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,461
    12,128
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,668
    Local Time:
    11:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    True but depends on your visitor profile for connection type and geographic location and speed of SSL certificate provider's OCSP responding server and even web browser used.

    For this forum my CruX (Chrome User Experience Report dashboard) shows majority of my connections are 4G. Though Google partially determines pagespeed metric for their search algorithm based on a 3G mobile profile speeds for your site.

    crux-dashboard-090818-03.png
     
  6. eva2000

    eva2000 Administrator Staff Member

    53,461
    12,128
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,668
    Local Time:
    11:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Take letsencrypt OCSP responder metrics recorded by Netcraft over some select locations - look at the average but also max total responding times Performance Report for ocsp.int-x3.letsencrypt.org | Netcraft

    US West/Azure based OCSP responding has average 0.040 seconds total response time but max of 5.628 seconds. Though most other listed locations have max of between 0.2 to 0.4 second total response time.

    upload_2018-8-22_3-48-29.png

    That would give you a rough idea of response times for similar connection speeds to OCSP responder for letsencrypt so quite fast. And like you said negligible for most folks.
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,461
    12,128
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,668
    Local Time:
    11:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Another item to consider is when using security feature for OCSP Must Staple if you want to further secure your site OCSP Must-Staple
    Yes most sites won't need OCSP Must Staple though and don't use it anyway. Centmin Mod's Letsencrypt automation doesn't use OCSP Must Staple - though I plan to add optional support for it.
     
  8. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    9:59 AM
    Mainline
    10.2
  9. eva2000

    eva2000 Administrator Staff Member

    53,461
    12,128
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,668
    Local Time:
    11:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    With Centmin Mod Nginx HTTPS vhost set
    Code (Text):
    ssl_prefer_server_ciphers   on;
    

    Looks like even without specifying TLS 1.3 specific ssl_ciphers, BoringSSL will use TLS 1.3 ssl_ciphers out of the box. OpenSSL 1.1.1 doesn't seem to do that and require specifying TLS 1.3 ciphers in ssl_ciphers listing in Nginx HTTPS vhost.
     
  10. buik

    buik “The best traveler is one without a camera.”

    1,999
    519
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,649
    Local Time:
    3:59 AM
    I don't know how Google determines this because their algorithm is secret.
    What I do know is that Google is not a fan of OCSP stapling as they removed it from their own BoringSSL.
    When using Boring, I do not notice that sites are falling into raking, they only come higher.

    Brings me to my conclusion that I can spend my time better on creating new content than testing Nginx over and over again with new patches which gives a 0.0.1 percent speed gain.
     
  11. eva2000

    eva2000 Administrator Staff Member

    53,461
    12,128
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,668
    Local Time:
    11:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    True though only need patching with BoringSSL while OpenSSL won't need patching :)

    To each their own choices :)
     
  12. buik

    buik “The best traveler is one without a camera.”

    1,999
    519
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,649
    Local Time:
    3:59 AM
    BoringSSL won't need manual patching or scripting.
    Using Google's Bazel.
     
  13. eva2000

    eva2000 Administrator Staff Member

    53,461
    12,128
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,668
    Local Time:
    11:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    I mean if you want OCSP, no need to patch OpenSSL as it supported but need to patch for BoringSSL for OCSP.