Learn about Centmin Mod LEMP Stack today
Become a Member

Nginx SSL Centmin Mod Nginx LibreSSL & OpenSSL Support in 123.09beta01+

Discussion in 'Centmin Mod Insights' started by eva2000, Apr 5, 2017.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    29,002
    6,580
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,770
    Local Time:
    9:52 PM
    Nginx 1.13.x
    MariaDB 5.5
    Centmin Mod 123.09beta01's Nginx defaults to LibreSSL 2.4 LibreSSL 2.5 branch but can optionally switch to OpenSSL 1.0.2k or newer via LIBRESSL_SWITCH='n' set persistent config file /etc/centminmod/custom_config.inc set variable or define OPENSSL_VERSION override variable for OpenSSL 1.1.0e to switch from LibreSSL 2.4 to OpenSSL 1.1 branch

    persistent config file /etc/centminmod/custom_config.inc set variables prior to centmin.sh menu option 4 recompile of Nginx
    Code:
    OPENSSL_VERSION='1.1.0e'
    LIBRESSL_SWITCH='n'
    
    on CentOS 7 with Centmin Mod 123.09beta01 build
    don't like compiling Nginx with clang compiler and want to use GCC default just set in persistent config file CLANG='n' prior to centmin.sh menu option 4 recompile of Nginx
    Code:
    OPENSSL_VERSION='1.1.0e'
    LIBRESSL_SWITCH='n'
    CLANG='n'
    
    don't like compiling Nginx with CentOS 7 default GCC 4.8.5 version and want to use newer GCC 5.3.1 compiler as you have newer Intel cpus and want to take advantage of further Intel optimised compiler flags ? Just set in persistent config file CLANG='n' & NGINX_DEVTOOLSETGCC='y' prior to centmin.sh menu option 4 recompile of Nginx
    Code:
    OPENSSL_VERSION='1.1.0e'
    LIBRESSL_SWITCH='n'
    CLANG='n'
    NGINX_DEVTOOLSETGCC='y'
    
    don't like compiling Nginx with CentOS 7 default GCC 4.8.5 version or GCC 5.3.1 and want to use newer GCC 6.2.1 compiler as you have newer Intel cpus and want to take advantage of further Intel optimised compiler flags ? Just set in persistent config file CLANG='n' & NGINX_DEVTOOLSETGCC='y' & DEVTOOLSETSIX='y' prior to centmin.sh menu option 4 recompile of Nginx
    Code:
    OPENSSL_VERSION='1.1.0e'
    LIBRESSL_SWITCH='n'
    CLANG='n'
    NGINX_DEVTOOLSETGCC='y'
    DEVTOOLSETSIX='y'
    
    Currently, working on GCC 7.x support too.

    Thanks to Akamai sponsoring OpenSSL, we should have OpenSSL 1.1.0 with TLS v1.3 support sooner rather than later too Security - WebPerf - Akamai Sponsors OpenSSL TLS 1.3 Development

    Testing out OpenSSL 1.1.0 with TLS v1.3 draft 18
    Code:
    openssl ciphers -V "ALL:COMPLEMENTOFALL" | grep TLSv1.3
             0x13,0x02 - TLS13-AES-256-GCM-SHA384 TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
             0x13,0x03 - TLS13-CHACHA20-POLY1305-SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
             0x13,0x01 - TLS13-AES-128-GCM-SHA256 TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
             0x13,0x05 - TLS13-AES-128-CCM-8-SHA256 TLSv1.3 Kx=any      Au=any  Enc=AESCCM8(128) Mac=AEAD
             0x13,0x04 - TLS13-AES-128-CCM-SHA256 TLSv1.3 Kx=any      Au=any  Enc=AESCCM(128) Mac=AEAD
    
    edit: and Clang 4.0.1 and Clang 5.0.0 support
     
    Last edited: Apr 23, 2017
    • Like Like x 1
Thread Status:
Not open for further replies.