Learn about Centmin Mod LEMP Stack today
Register Now

Nginx SSL Centmin Mod Nginx LibreSSL & OpenSSL Support in 123.09beta01+

Discussion in 'Centmin Mod Insights' started by eva2000, Apr 5, 2017.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    4:01 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Centmin Mod 123.09beta01's Nginx defaults to OpenSSL 1.1.0 branch but can optionally switch to LibreSSL or newer via LIBRESSL_SWITCH='n' set persistent config file /etc/centminmod/custom_config.inc


    persistent config file /etc/centminmod/custom_config.inc set variables prior to centmin.sh menu option 4 recompile of Nginx
    Code:
    LIBRESSL_SWITCH='n'
    
    on CentOS 7 with Centmin Mod 123.09beta01 build
    don't like compiling Nginx with clang compiler and want to use GCC default just set in persistent config file CLANG='n' prior to centmin.sh menu option 4 recompile of Nginx
    Code:
    LIBRESSL_SWITCH='n'
    CLANG='n'
    
    don't like compiling Nginx with CentOS 7 default GCC 4.8.5 version and want to use newer GCC 5.3.1 compiler as you have newer Intel cpus and want to take advantage of further Intel optimised compiler flags ? Just set in persistent config file CLANG='n' & NGINX_DEVTOOLSETGCC='y' prior to centmin.sh menu option 4 recompile of Nginx
    Code:
    LIBRESSL_SWITCH='n'
    CLANG='n'
    NGINX_DEVTOOLSETGCC='y'
    
    don't like compiling Nginx with CentOS 7 default GCC 4.8.5 version or GCC 5.3.1 and want to use newer GCC 6.2.1 compiler as you have newer Intel cpus and want to take advantage of further Intel optimised compiler flags ? Just set in persistent config file CLANG='n' & NGINX_DEVTOOLSETGCC='y' & DEVTOOLSETSIX='y' prior to centmin.sh menu option 4 recompile of Nginx
    Code:
    LIBRESSL_SWITCH='n'
    CLANG='n'
    NGINX_DEVTOOLSETGCC='y'
    DEVTOOLSETSIX='y'
    
    Currently, working on GCC 7.x support too. Update added GCC 7.2 & Clang 4 support now.

    Thanks to Akamai sponsoring OpenSSL, we should have OpenSSL 1.1.0 with TLS v1.3 support sooner rather than later too Security - WebPerf - Akamai Sponsors OpenSSL TLS 1.3 Development

    Testing out OpenSSL 1.1.0 with TLS v1.3 draft 18
    Code:
    openssl ciphers -V "ALL:COMPLEMENTOFALL" | grep TLSv1.3
             0x13,0x02 - TLS13-AES-256-GCM-SHA384 TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
             0x13,0x03 - TLS13-CHACHA20-POLY1305-SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
             0x13,0x01 - TLS13-AES-128-GCM-SHA256 TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
             0x13,0x05 - TLS13-AES-128-CCM-8-SHA256 TLSv1.3 Kx=any      Au=any  Enc=AESCCM8(128) Mac=AEAD
             0x13,0x04 - TLS13-AES-128-CCM-SHA256 TLSv1.3 Kx=any      Au=any  Enc=AESCCM(128) Mac=AEAD
    
    edit: and Clang 4.0.1 and Clang 5.0.0 support
     
    Last edited: Aug 16, 2018
  2. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    4:01 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Update, above instructions no longer need to set OPENSSL_VERSION='1.1.0e' specifically as Centmin Mod 123.09beta01 now defaults to OPENSSL_VERSION='1.1.0f' or latest at time if LIBRESSL_SWITCH='n' is set.
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    4:01 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Latest Centmin Mod 123.09beta01's Nginx now supports BoringSSL crypto library along with LibreSSL and OpenSSL :)

    I wrote a new tools/nginx-binary-backup.sh script which can also backup and restore your Nginx binary/module states so you can more easily switch between them for testing as well. Thus saving you time beyond the initial Nginx compile for each version via centmin.sh menu option 4.
    Code (Text):
    ./nginx-binary-backup.sh backup                          
    --------------------------------------------------------
    backup current Nginx binary and dynamic modules
    --------------------------------------------------------
    backup started...
    --------------------------------------------------------
    /home/backup-nginxbin/1.15.3-gcc-8.2.1-20180817-openssl-1.1.1-pre9-dev-190818-203420
    +-- bin
    |   +-- nginx
    +-- dynamic-modules.conf
    +-- dynamic-modules-includes.conf
    +-- modules
       +-- ndk_http_module.so
       +-- ngx_http_brotli_filter_module.so
       +-- ngx_http_brotli_static_module.so
       +-- ngx_http_echo_module.so
       +-- ngx_http_fancyindex_module.so
       +-- ngx_http_headers_more_filter_module.so
       +-- ngx_http_image_filter_module.so
       +-- ngx_http_modsecurity_module.so
       +-- ngx_http_set_misc_module.so
       +-- ngx_http_vhost_traffic_status_module.so
       +-- ngx_stream_module.so
    
    2 directories, 14 files
    backup finished...
    --------------------------------------------------------
    backup created at /home/backup-nginxbin/1.15.3-gcc-8.2.1-20180817-openssl-1.1.1-pre9-dev-190818-203420
    --------------------------------------------------------
    


    With LibreSSL 2.7.4



    persistent config file /etc/centminmod/custom_config.inc set prior to centmin.sh menu option 4 Nginx compiles
    Code (Text):
    LIBRESSL_SWITCH='n'
    

    With OpenSSL 1.1.0i



    no need for persistent config file /etc/centminmod/custom_config.inc settings prior to centmin.sh menu option 4 Nginx compiles as current default for Centmin Mod 123.09beta01 is to use OpenSSL 1.1.0* latest version with Nginx

    With OpenSSL 1.1.1-dev9 TLS 1.3 support



    For OpenSSL 1.1.1 latest github master branch dev testing (TLSONETHREE='y') or for official OpenSSL 1.1.1 GA stable release (OPENSSL_VERSION='1.1.1'), the persistent config file /etc/centminmod/custom_config.inc set prior to centmin.sh menu option 4 Nginx compiles
    Code (Text):
    OPENSSL_VERSION='1.1.1'
    #TLSONETHREE='y'
    

    Only used for testing, once OpenSSL 1.1.1 final is out, 123.09beta01's Nginx will switch from OpenSSL 1.1.0* to 1.1.1*

    OpenSSL 1.1.1 GA stable
    Master branch

    With BoringSSL TLS 1.3 supported



    You'd want to be on Nginx 1.15.3+ which is only available on Nginx mainlines. Set the persistent config file /etc/centminmod/custom_config.inc set prior to centmin.sh menu option 4 Nginx compiles and when prompted for nginx version.
    Code (Text):
    BORINGSSL_SWITCH='y'
    

    Note with BoringSSL, OCSP stapling isn't supported so nginx config tests will show
    Code (Text):
    nginx -t
    nginx: [warn] "ssl_stapling" ignored, not supported
    nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
    

    You can ignore that warning, or edit each of your Nginx vhosts and comment out ssl stapling related directives. DO NOT DELETE just comment out with hash # in front. As when you switch to LibreSSL or OpenSSL based Nginx, you want to re-enable ssl_stapling.
     
    Last edited: Sep 12, 2018
Thread Status:
Not open for further replies.