Learn about Centmin Mod LEMP Stack today
Become a Member

Featured Nginx Centmin Mod Nginx VHOST SPDY SSL Generator testing

Discussion in 'Beta release code' started by eva2000, Jul 31, 2014.

Tags:
  1. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Working on an improved Centmin Mod Nginx Add Vhost function which can generate both http and https (SPDY SSL) Nginx vhosts.

    RSA 2048 bit vs ECC 256 bit

    The new function can also auto generate the SSL CSR Code based on either the standard RSA 2048 bit keys or on the newer more performant ECC 256 bit keys (equivalent to RSA 3072 bit) as well as auto generate self-signed SSL certificates for test usage as well.

    ECC = Elliptic Curve Cryptography ECC key based has smaller key sizes, more secure and can offer between 10-20x times faster signing performance. ECC 256 bit key is equivalent to a RSA 3072 bit key. ECC key based CSR Code NEEDS a SSL certificate which supports ECC. However not all SSL certificates support ECC key based generated CSR Codes. Some browsers may also NOT support ECC.


    Please consult with your SSL certificate provider or if unsure, choose the standard RSA 2048 bit key based CSR Code method. More info on ECC at A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography and CA Security Council | Benefits of Elliptic Curve Cryptography

    Note from Cloudflare regarding ECC needing good source of entropy to ensure randomness.
    Centmin Mod .07 stable release and higher solves this by increasing entropy pool via haveged. See inc/entropy.inc include file. More on entropy pool here. Also if you are using the new Intel Ivy Bridge based processors, you'll also have a hardware implementation for generating more randomness called Secure Key (wikipedia).
    Code:
    cat /dev/random | rngtest -c 1000
    rngtest 2
    Copyright (c) 2004 by Henrique de Moraes Holschuh
    This is free software; see the source for copying conditions.  There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    
    rngtest: starting FIPS tests...
    rngtest: bits received from input: 20000032
    rngtest: FIPS 140-2 successes: 1000
    rngtest: FIPS 140-2 failures: 0
    rngtest: FIPS 140-2(2001-10-10) Monobit: 0
    rngtest: FIPS 140-2(2001-10-10) Poker: 0
    rngtest: FIPS 140-2(2001-10-10) Runs: 0
    rngtest: FIPS 140-2(2001-10-10) Long run: 0
    rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
    rngtest: input channel speed: (min=490.575; avg=15687.512; max=9765625.000)Kibits/s
    rngtest: FIPS tests speed: (min=13.752; avg=160.233; max=9536.743)Mibits/s
    rngtest: Program run time: 1383087 microseconds
    
    Code:
    cat /proc/sys/kernel/random/entropy_avail
    3961
    
    Bit of discussion of what entropy_avail indicates at here.
    RSA 2048 bit vs ECC 256 bit Benchmarks

    Example tested on 512MB KVM RamNode VPS with 2 cpu cores with Centmin Mod Nginx web stack installed. ECC 256 bit (ECDSA) sign per seconds 6,453 sign/s vs RSA 2048 bit (RSA) 610 sign/s = ECC 256 bit is 10.5x times faster than RSA.

    Code:
    rsa 2048 bits 0.001638s 0.000050s    610.4  19826.5
    256 bit ecdsa (nistp256)  0.0002s  0.0006s  6453.3  1805.5
    Full results
    Code:
    openssl speed rsa
    
                      sign    verify    sign/s verify/s
    rsa  512 bits 0.000071s 0.000006s  14035.5 169609.7
    rsa 1024 bits 0.000278s 0.000016s   3595.2  63880.8
    rsa 2048 bits 0.001638s 0.000050s    610.4  19826.5
    rsa 4096 bits 0.011912s 0.000191s     84.0   5247.4
    
    Code:
    openssl speed ecdsa
    
                                  sign    verify    sign/s verify/s
    256 bit ecdsa (nistp256)   0.0002s   0.0006s   6453.3   1805.5
    384 bit ecdsa (nistp384)   0.0003s   0.0012s   3596.1    840.6
    521 bit ecdsa (nistp521)   0.0005s   0.0027s   1851.1    371.6
    Manual work still required

    This will take part of the manual work out of the Nginx SPDY SSL setup process outlined at Nginx HTTPS / SSL Google SPDY configuration However, for paid commercial SSL certificates, you would still need to manually submit the CSR Code i.e. domain1.csr to your SSL certificate provider when you purchase your SSL certificate and setup the domain1.com-trusted.crt and domain1.com-unified.crt files as outlined at Nginx HTTPS / SSL Google SPDY configuration

    Here's a sample of the nginxssl_gen.sh standalone test Nginx vhost script adding domain1.com to an existing Centmin Mod installation.

    Code:
    ./nginxssl_gen.sh                      
    
    ---------------------------------------------
    Enter vhost domain name you want to add (without www. prefix): domain1.com
    Do you want to setup an Nginx SSL SPDY Vhost https:// based domain? [y/n] y
    Do you want to auto generate the CSR Code (Certificate Signing Request)? [y/n] y
    Auto generate self-signed SSL certificate (y) or setup a purchased SSL Certifcate [n] ? [y/n] y
    ----------------------------------------------------------------------
    There are types of CSR Codes you can generate
    1). The standard RSA 2048 bit key based CSR Code
    2). The newer performant ECC 256bit key based CSR Code
    ----------------------------------------------------------------------
      ECC = Elliptic Curve Cryptography
      ECC key based has smaller key sizes, more secure etc
      ECC 256bit key is equivalent to a RSA 3072bit key
      ECC key based CSR Code NEEDS a SSL certificate which
      supports ECC however not all SSL certificates support
      ECC key based generated CSR Codes. Some browsers may
      also NOT support ECC.
    
      Please consult with your SSL certificate provider or
      if unsure, choose the standard RSA 2048 bit key
      based CSR Code method.
    
      Do you want to generate a ECC 256 bit key based CSR Code?
      Answer = y for ECC or = n for standard RSA key based [y/n] y
    ----------------------------------------------------------------------
    
    ----------------------------------------------------------------------
      Generating private key and CSR Code files
      will require user input...
    
          openssl ecparam -list_curves
          openssl ecparam -out domain1.com.key -name prime256v1 -genkey
          openssl req -new -sha256 -key domain1.com.key -nodes -out domain1.com.csr
    
      secp384r1 : NIST/SECG curve over a 384 bit prime field
      prime256v1: X9.62/SECG curve over a 256 bit prime field
    
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:AU
    State or Province Name (full name) []:QLD
    Locality Name (eg, city) [Default City]:BRISBANE
    Organization Name (eg, company) [Default Company Ltd]:domain1.com
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:domain1.com
    Email Address []:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
      self-signed crt generation option:
      openssl x509 -req -days 36500 -in domain1.com.csr -signkey domain1.com.key -out domain1.com.crt
    Signature ok
    subject=/C=AU/ST=QLD/L=BRISBANE/O=domain1.com/CN=domain1.com
    Getting Private key
    openssl s_client -connect domain1.com:443 -tls1_2 -tlsextdebug -status
    CONNECTED(00000003)
    TLS server extension "renegotiation info" (id=65281), len=1
    0001 - <SPACES/NULS>
    TLS server extension "EC point formats" (id=11), len=4
    0000 - 03 00 01 02                                       ....
    TLS server extension "session ticket" (id=35), len=0
    TLS server extension "heartbeat" (id=15), len=1
    0000 - 01                                                .
    OCSP response: no response sent
    depth=0 C = AU, ST = QLD, L = BRISBANE, O = domain1.com, CN = domain1.com
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 C = AU, ST = QLD, L = BRISBANE, O = domain1.com, CN = domain1.com
    verify return:1
    ---
    Certificate chain
    0 s:/C=AU/ST=QLD/L=BRISBANE/O=domain1.com/CN=domain1.com
       i:/C=AU/ST=QLD/L=BRISBANE/O=domain1.com/CN=domain1.com
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIBpDCCAUsCCQDK5Joh3auUCjAJBgcqhkjOPQQBMFoxCzAJBgNVBAYTAkFVMQww
    CgYDVQQIDANRTEQxETAPBgNVBAcMCEJSSVNCQU5FMRQwEgYDVQQKDAtkb21haW4x
    LmNvbTEUMBIGA1UEAwwLZG9tYWluMS5jb20wIBcNMTQwNzMxMTAyMDE3WhgPMjEx
    NDA3MDcxMDIwMTdaMFoxCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANRTEQxETAPBgNV
    BAcMCEJSSVNCQU5FMRQwEgYDVQQKDAtkb21haW4xLmNvbTEUMBIGA1UEAwwLZG9t
    YWluMS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARd7cnNFqIejQc68DNm
    mIwKTXQGOZgoko0LtLY3WvdqizJQ0EyCUazswEfn4JE8B1jTbeRkmSREkjAv3r6O
    0Hh8MAkGByqGSM49BAEDSAAwRQIgY9qnB6+I7g6OuEJRGywyyM2zNNsy5AlGmGOX
    fMGd5SMCIQD6R/jJSs0+fEkcHIox3XnPCpyX/x0ivSksCj4KUGPcuQ==
    -----END CERTIFICATE-----
    subject=/C=AU/ST=QLD/L=BRISBANE/O=domain1.com/CN=domain1.com
    issuer=/C=AU/ST=QLD/L=BRISBANE/O=domain1.com/CN=domain1.com
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 898 bytes and written 398 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
    Server public key is 256 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
        Session-ID: 9ED9AF993DFD2F7EDF223C46AF12228FC663D09F18CED181E5819E32878829CE
        Session-ID-ctx:
        Master-Key: B3B699B8D9C8FC41BB6703851F3E9738F352A67B1EC294C17C5FAF70D897944C393FCF3B30786D0F6005DDD3580D7E2E
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        TLS session ticket lifetime hint: 86400 (seconds)
        TLS session ticket:
        0000 - 6c 40 0e 5b be 7e df 84-2d 2a 83 95 7c 99 42 5b   l@.[.~..-*..|.B[
        0010 - d3 6b f1 b1 47 c9 35 d2-77 a0 3a 71 ee 13 a0 e9   .k..G.5.w.:q....
        0020 - 64 38 b6 94 15 ba b2 bb-1c 39 be af ce a3 98 3f   d8.......9.....?
        0030 - 1c c6 f2 3e 5d da 41 60-2c 8f 40 16 30 d6 03 da   ...>].A`,.@.0...
        0040 - 6b 9c ac 90 4a 31 e7 87-25 c2 e5 be 7f cd 4a 21   k...J1..%.....J!
        0050 - de 05 7e 1c 71 1e 83 db-6f e1 69 18 16 48 5e 7d   ..~.q...o.i..H^}
        0060 - 5a 3c 5d e0 3a 91 34 de-a9 3b 2e c8 0a 07 1a 6e   Z<].:.4..;.....n
        0070 - b0 8d 36 f2 51 eb 49 de-9c c0 02 9c e9 be b5 0a   ..6.Q.I.........
        0080 - de 44 c1 b8 25 f0 b5 d9-3b cb 64 e1 1f 44 47 74   .D..%...;.d..DGt
        0090 - 7f 6e 2b 85 d8 96 26 1f-04 bc 2d 2b 82 d4 38 7f   .n+...&...-+..8.
    
        Start Time: 1406802152
        Timeout   : 7200 (sec)
        Verify return code: 18 (self signed certificate)
    ---
    closed
    
    ----------------------------------------------------------------------
      Your private key (domain1.com.key )and CSR code (domain1.com.csr)
      has been generated at:
      /usr/local/nginx/conf/ssl/domain1.com
    total 20K
    drwxr-xr-x 2 root root 4.0K Jul 31 10:22 .
    drwxr-xr-x 3 root root 4.0K Jul 31 10:22 ..
    -rw-r--r-- 1 root root  631 Jul 31 10:22 domain1.com.crt
    -rw-r--r-- 1 root root  452 Jul 31 10:22 domain1.com.csr
    -rw-r--r-- 1 root root  302 Jul 31 10:22 domain1.com.key
    ----------------------------------------------------------------------
    
    
    ---------------------------------------------
    nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
    Reloading nginx:                                           [  OK  ]
    
    ---------------------------------------------
    vhost for domain1.com created successfully
    vhost conf file for domain1.com created: /usr/local/nginx/conf/conf.d/domain1.com.conf
    upload files to /home/nginx/domains/domain1.com/public
    vhost log files directory is /home/nginx/domains/domain1.com/log
    SSL files directory is /usr/local/nginx/conf/ssl/domain1.com
    
    Current vhost listing at: /usr/local/nginx/conf/conf.d/
               
    Jul 23  04:13   798    ssl.conf
    Jul 23  04:13   1.1K   demodomain.com.conf
    Jul 23  04:13   1.4K   virtual.conf
    Jul 31  10:22   2.7K   domain1.com.conf
    ---------------------------------------------
    
    Contents of the Nginx vhost for domain1.com at /usr/local/nginx/conf/conf.d/domain1.com.conf. It's using Mozilla prefered SSL ciphers Security/Server Side TLS - MozillaWiki instead of the Cloudflare RC4 Kill patched OpenSSL version outlined at Nginx - Nginx ssl cipher suite | Centmin Mod Community as there is no guarantee the Cloudflare RC4 Kill patch will work with future OpenSSL released versions right away.
    Code:
    server {
      server_name domain1.com www.domain1.com;
       return 301 https://$server_name$request_uri;
    }
    
    server {
      listen 443 ssl spdy;
      server_name domain1.com www.domain1.com;
    
            add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
            add_header Alternate-Protocol 443:npn-spdy/3;
            ssl_certificate      /usr/local/nginx/conf/ssl/domain1.com/domain1.com.crt;
            ssl_certificate_key  /usr/local/nginx/conf/ssl/domain1.com/domain1.com.key;
            ssl_session_cache      shared:SSL:10m;
            ssl_session_timeout  24h;
    
            ssl_protocols   SSLv3 TLSv1 TLSv1.1 TLSv1.2;
            # mozilla recommended
            ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!kEDH:!EDH:!CAMELLIA;
    
            ssl_prefer_server_ciphers   on;
            spdy_headers_comp 5;
            ssl_buffer_size 1400;
            ssl_session_tickets on;
    
            # enable ocsp stapling
            #resolver 8.8.8.8 8.8.4.4 valid=10m;
            #resolver_timeout 10s;
            #ssl_stapling on;
            #ssl_stapling_verify on;
            #ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain1.com/domain1.com-trusted.crt;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain1.com/log/access.log combined buffer=32k;
      error_log /home/nginx/domains/domain1.com/log/error.log;
    
      root /home/nginx/domains/domain1.com/public;
    
      location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      #try_files    $uri $uri/ /index.php;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
    }
    
    The domain1.com SPDY SSL based setup in Opera 22 browser for ECC 256 bit key based CSR Code self-signed certificate.

    nginxssl_gen_vhost_selfsigned_00.png
    ECC 256 bit = ECDHE_ECDSA. ECDHE stands for Elliptic Curve Diffie Hellman Ephemeral

    nginxssl_gen_vhost_selfsigned_ecckey_00.png
     
    Last edited: Aug 1, 2014
  2. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    For regular standard RSA 2048 bit key generated CSR self-signed SSL certificate

    Code:
    ./nginxssl_gen.sh                                 
    
    ---------------------------------------------
    Enter vhost domain name you want to add (without www. prefix): domain1.com
    Do you want to setup an Nginx SSL SPDY Vhost https:// based domain? [y/n] y
    Do you want to auto generate the CSR Code (Certificate Signing Request)? [y/n] y
    Auto generate self-signed SSL certificate (y) or setup a purchased SSL Certifcate [n] ? [y/n] y
    ----------------------------------------------------------------------
    There are types of CSR Codes you can generate
    1). The standard RSA 2048 bit key based CSR Code
    2). The newer performant ECC 256bit key based CSR Code
    ----------------------------------------------------------------------
      ECC = Elliptic Curve Cryptography
      ECC key based has smaller key sizes, more secure etc
      ECC 256bit key is equivalent to a RSA 3072bit key
      ECC key based CSR Code NEEDS a SSL certificate which
      supports ECC however not all SSL certificates support
      ECC key based generated CSR Codes. Some browsers may
      also NOT support ECC.
    
      Please consult with your SSL certificate provider or
      if unsure, choose the standard RSA 2048 bit key
      based CSR Code method.
    
      Do you want to generate a ECC 256 bit key based CSR Code?
      Answer = y for ECC or = n for standard RSA key based [y/n] n
    ----------------------------------------------------------------------
    
    ----------------------------------------------------------------------
      Generating private key and CSR Code files
      will require user input...
      openssl req -new -newkey rsa:2048 -nodes -out domain1.com.csr -keyout domain1.com.key
    Generating a 2048 bit RSA private key
    .......................................................+++
    .............................................................................................................+++
    writing new private key to 'domain1.com.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:AU
    State or Province Name (full name) []:QLD
    Locality Name (eg, city) [Default City]:BRISBANE
    Organization Name (eg, company) [Default Company Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:domain1.com
    Email Address []:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
      self-signed crt generation option:
      openssl x509 -req -days 36500 -in domain1.com.csr -signkey domain1.com.key -out domain1.com.crt
    Signature ok
    subject=/C=AU/ST=QLD/L=BRISBANE/O=Default Company Ltd/CN=domain1.com
    Getting Private key
    openssl s_client -connect domain1.com:443 -tls1_2 -tlsextdebug -status
    CONNECTED(00000003)
    TLS server extension "renegotiation info" (id=65281), len=1
    0001 - <SPACES/NULS>
    TLS server extension "EC point formats" (id=11), len=4
    0000 - 03 00 01 02                                       ....
    TLS server extension "session ticket" (id=35), len=0
    TLS server extension "heartbeat" (id=15), len=1
    0000 - 01                                                .
    OCSP response: no response sent
    depth=0 C = AU, ST = QLD, L = BRISBANE, O = domain1.com, CN = domain1.com
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 C = AU, ST = QLD, L = BRISBANE, O = domain1.com, CN = domain1.com
    verify return:1
    ---
    Certificate chain
    0 s:/C=AU/ST=QLD/L=BRISBANE/O=domain1.com/CN=domain1.com
       i:/C=AU/ST=QLD/L=BRISBANE/O=domain1.com/CN=domain1.com
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIBpTCCAUsCCQDEHkvZMRVyEjAJBgcqhkjOPQQBMFoxCzAJBgNVBAYTAkFVMQww
    CgYDVQQIDANRTEQxETAPBgNVBAcMCEJSSVNCQU5FMRQwEgYDVQQKDAtkb21haW4x
    LmNvbTEUMBIGA1UEAwwLZG9tYWluMS5jb20wIBcNMTQwNzMxMTAyMjMyWhgPMjEx
    NDA3MDcxMDIyMzJaMFoxCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANRTEQxETAPBgNV
    BAcMCEJSSVNCQU5FMRQwEgYDVQQKDAtkb21haW4xLmNvbTEUMBIGA1UEAwwLZG9t
    YWluMS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQDfHlE4uARdOvhNWm7
    a8s9aZevK5ixA8QaVn15ItToX6YEC79RmqQyDxxbudaxPcCW13yt6c5GbE+EWId9
    6DClMAkGByqGSM49BAEDSQAwRgIhAJPLD4bRJUucMtp3ZyyPZHkpa4qCwsX4CmjU
    6y16ea3tAiEAlZ8Rup810ch6gjbmksXfJJG9pmPhgnlBYOm4zjBHrCE=
    -----END CERTIFICATE-----
    subject=/C=AU/ST=QLD/L=BRISBANE/O=domain1.com/CN=domain1.com
    issuer=/C=AU/ST=QLD/L=BRISBANE/O=domain1.com/CN=domain1.com
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 898 bytes and written 398 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
    Server public key is 256 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
        Session-ID: D916A6B901F232BB3D205C9D9655EDAE9730ADB5D395282141E846C74D025196
        Session-ID-ctx:
        Master-Key: 5E72C08AF5E0B1159EB0FA600182E0530AABF7AD5D30C7E3B01636D8A779218F2D31C2FB800BB2A667CA9540079B7F71
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        TLS session ticket lifetime hint: 86400 (seconds)
        TLS session ticket:
        0000 - e4 8b f0 fd 7f 5b 80 98-e7 29 93 96 5c 9a 7f 6a   .....[...)..\..j
        0010 - a2 2e d3 8e 64 4c cc 26-05 0d f1 d7 cc ae 6b 97   ....dL.&......k.
        0020 - ad 27 bb 7a d8 b1 51 1a-0f 90 88 5c 43 dc a5 fc   .'.z..Q....\C...
        0030 - 1b ba 2f 07 4d cc eb 72-fe ba 75 90 43 46 dc e2   ../.M..r..u.CF..
        0040 - ef da 8f 70 ad 61 88 45-90 55 fb ab 03 26 53 79   ...p.a.E.U...&Sy
        0050 - 5d 53 f6 dd 1f 4f f1 96-e6 86 aa ae 2e 66 ec 94   ]S...O.......f..
        0060 - b7 1f c0 55 35 d1 28 07-c5 00 d0 84 a7 4a 2e 74   ...U5.(......J.t
        0070 - 5f b1 24 9d ab f3 8f 7c-4c c0 2a 29 98 54 01 cf   _.$....|L.*).T..
        0080 - ba 9d d0 6d 17 07 57 6f-a6 46 a6 10 4d 0f fc 47   ...m..Wo.F..M..G
        0090 - 37 54 fd 44 9b b4 6e 03-2f 54 82 37 62 64 da 8a   7T.D..n./T.7bd..
    
        Start Time: 1406803316
        Timeout   : 7200 (sec)
        Verify return code: 18 (self signed certificate)
    ---
    closed
    
    ----------------------------------------------------------------------
      Your private key (domain1.com.key )and CSR code (domain1.com.csr)
      has been generated at:
      /usr/local/nginx/conf/ssl/domain1.com
    total 20K
    drwxr-xr-x 2 root root 4.0K Jul 31 10:41 .
    drwxr-xr-x 3 root root 4.0K Jul 31 10:41 ..
    -rw-r--r-- 1 root root 1.2K Jul 31 10:41 domain1.com.crt
    -rw-r--r-- 1 root root  997 Jul 31 10:41 domain1.com.csr
    -rw-r--r-- 1 root root 1.7K Jul 31 10:41 domain1.com.key
    ----------------------------------------------------------------------
    
    
    ---------------------------------------------
    nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
    Reloading nginx:                                           [  OK  ]
    
    ---------------------------------------------
    vhost for domain1.com created successfully
    vhost conf file for domain1.com created: /usr/local/nginx/conf/conf.d/domain1.com.conf
    upload files to /home/nginx/domains/domain1.com/public
    vhost log files directory is /home/nginx/domains/domain1.com/log
    SSL files directory is /usr/local/nginx/conf/ssl/domain1.com
    
    Current vhost listing at: /usr/local/nginx/conf/conf.d/
                         
    Jul 23  04:13   798    ssl.conf
    Jul 23  04:13   1.1K   demodomain.com.conf
    Jul 23  04:13   1.4K   virtual.conf
    Jul 31  10:42   2.7K   domain1.com.conf
    ---------------------------------------------
    RSA 2048 bit key generated CSR Code self-signed SSL certificate

    RSA = ECDHE_RSA

    nginxssl_gen_vhost_selfsigned_rsakey_00.png

    Edit: Also added selection of either 2048 bit or 4096 bit RSA keys for non-ECC CSR Code

    Code:
    ./nginxssl_gen.sh
    
    ---------------------------------------------
    Enter vhost domain name you want to add (without www. prefix): domain1.com
    Do you want to setup an Nginx SSL SPDY Vhost https:// based domain? [y/n] y
    Do you want to auto generate the CSR Code (Certificate Signing Request)? [y/n] y
    Auto generate self-signed SSL certificate (y) or setup a purchased SSL Certifcate [n] ? [y/n] y
    ----------------------------------------------------------------------
    There are types of CSR Codes you can generate
    1). The standard RSA 2048 bit key based CSR Code
    2). The newer performant ECC 256bit key based CSR Code
    ----------------------------------------------------------------------
      ECC = Elliptic Curve Cryptography
      ECC key based has smaller key sizes, more secure etc
      ECC 256bit key is equivalent to a RSA 3072bit key
      ECC key based CSR Code NEEDS a SSL certificate which
      supports ECC however not all SSL certificates support
      ECC key based generated CSR Codes. Some browsers may
      also NOT support ECC.
    
      Please consult with your SSL certificate provider or
      if unsure, choose the standard RSA 2048 bit key
      based CSR Code method.
    
      Do you want to generate a ECC 256 bit key based CSR Code?
      Answer = y for ECC or = n for standard RSA key based [y/n] n
    ----------------------------------------------------------------------
    
    ----------------------------------------------------------------------
      RSA 4096 bit key = y Answer = n for 2048 bit key [y/n] y
    
      Generating private key and CSR Code files
      will require user input...
      openssl req -new -newkey rsa:4096 -nodes -out domain1.com.csr -keyout domain1.com.key
    Generating a 4096 bit RSA private key
    ..............................................................................................................................................................................................................................++
    ...................................................................................................................................................................++
    writing new private key to 'domain1.com.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:AU
    State or Province Name (full name) []:QLD
    Locality Name (eg, city) [Default City]:BRISBANE
    Organization Name (eg, company) [Default Company Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:domain1.com
    Email Address []:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
      self-signed crt generation option:
      openssl x509 -req -days 36500 -in domain1.com.csr -signkey domain1.com.key -out domain1.com.crt
    Signature ok
    subject=/C=AU/ST=QLD/L=BRISBANE/O=Default Company Ltd/CN=domain1.com
    Getting Private key
    openssl s_client -connect domain1.com:443 -tls1_2 -tlsextdebug -status
    CONNECTED(00000003)
    TLS server extension "renegotiation info" (id=65281), len=1
    0001 - <SPACES/NULS>
    TLS server extension "EC point formats" (id=11), len=4
    0000 - 03 00 01 02                                       ....
    TLS server extension "session ticket" (id=35), len=0
    TLS server extension "heartbeat" (id=15), len=1
    0000 - 01                                                .
    OCSP response: no response sent
    depth=0 C = AU, ST = QLD, L = BRISBANE, O = Default Company Ltd, CN = domain1.com
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 C = AU, ST = QLD, L = BRISBANE, O = Default Company Ltd, CN = domain1.com
    verify return:1
    ---
    Certificate chain
    0 s:/C=AU/ST=QLD/L=BRISBANE/O=Default Company Ltd/CN=domain1.com
       i:/C=AU/ST=QLD/L=BRISBANE/O=Default Company Ltd/CN=domain1.com
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIDQjCCAioCCQCGn0xAKm9m3zANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJB
    VTEMMAoGA1UECAwDUUxEMREwDwYDVQQHDAhCUklTQkFORTEcMBoGA1UECgwTRGVm
    YXVsdCBDb21wYW55IEx0ZDEUMBIGA1UEAwwLZG9tYWluMS5jb20wIBcNMTQwNzMx
    MTA0MTU2WhgPMjExNDA3MDcxMDQxNTZaMGIxCzAJBgNVBAYTAkFVMQwwCgYDVQQI
    DANRTEQxETAPBgNVBAcMCEJSSVNCQU5FMRwwGgYDVQQKDBNEZWZhdWx0IENvbXBh
    bnkgTHRkMRQwEgYDVQQDDAtkb21haW4xLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
    ggEPADCCAQoCggEBALcF/wH6ON72Tk4anieUNowix4CYaxJg0vejV04BWUgcM7l+
    hqiZo5aGEeDuSc1ai2IdT67VaFPyjySbV618sPASy3RvNQletC3f9an0Ieq04+8O
    S+SNYSJjAL4M0E4aoTX8QxEUue1KoGXudME4ZjtUqw9zBaDSzAooblFeA2REaavh
    7bqrwppRfvO9SZ4F+x5mR2oWkzP3+xr+YsaPs8SBcQ8F+DzF0lTn1t3av13u8WGA
    JXBDUC1Hya8L/Nj+CjC+qdvhUPSevq+Sw3leioQqRTFwuFm7LbRs9vj6rj8qCvPj
    f41H6VPnUO9/Du6eOiUsOpczjIssOB6SMJ3rSsMCAwEAATANBgkqhkiG9w0BAQUF
    AAOCAQEAfTNo0WjI/oukQVuhk78tfRjX2jbjXhUkg0Jo1vSutJNIVsEoNU70aeSp
    975e6Vh/dzprewYJOoEZnzZqp2cDcmGx1jxk1JFkSYXhjhkI598KEKjbQgTwmweW
    N8CftrayERH2NBHZQc4yFX+L/NlKQKVcreDM2tpRqWjmlEDdnTpmHM0/xM2XAbXc
    oyDk9wDw6YDyQRfh802rqHpPq/G9fRL0Ux/TKJpVdoPT0IYRnFNpV0iVyOc83az7
    x9jvrTHrRACv1Irp6UROjGRvRF+2NZ+5601lnpuN7YAymb2/R6Gs8fWscCSXKtXP
    jOmoo12MkHAlbwuf48TJZVBqcXka9Q==
    -----END CERTIFICATE-----
    subject=/C=AU/ST=QLD/L=BRISBANE/O=Default Company Ltd/CN=domain1.com
    issuer=/C=AU/ST=QLD/L=BRISBANE/O=Default Company Ltd/CN=domain1.com
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 1497 bytes and written 398 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
        Session-ID: 67A390B12611FA14D4CD62595278C6AEE56AE9957BEC6D104D81266D356049FC
        Session-ID-ctx:
        Master-Key: 20F6CC96ECE231BBB33D168ED2D0B2DEE2A39665D5E50BDA458095ABE0E7034C2F80542D4367DDEC161361DAB6105B61
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        TLS session ticket lifetime hint: 86400 (seconds)
        TLS session ticket:
        0000 - 31 c2 6c 31 65 0d 41 19-2c 92 63 5a 69 c6 f3 f7   1.l1e.A.,.cZi...
        0010 - f4 68 b7 c0 0b ee 07 02-c8 17 c1 7e bb 78 07 52   .h.........~.x.R
        0020 - 36 2c 71 7c 7a 6b a9 a9-b1 fa 4d 05 1b c7 54 ec   6,q|zk....M...T.
        0030 - a6 f7 ea 94 b3 46 b8 7f-c7 df 6a 1f e0 cf e9 a9   .....F....j.....
        0040 - 77 3c f3 2a 98 19 ee 8a-2d 6b 98 a8 b3 d5 bb ac   w<.*....-k......
        0050 - 87 e6 87 c0 38 58 46 cb-13 04 5c c7 60 b5 92 96   ....8XF...\.`...
        0060 - d0 3e 43 98 80 92 29 51-76 91 79 2c b3 46 99 7a   .>C...)Qv.y,.F.z
        0070 - fd 3d c5 08 af bf e9 eb-de 15 e1 e1 c0 7d b4 aa   .=...........}..
        0080 - ae b9 47 db 14 fa a3 aa-59 09 e7 a1 96 1c 8a 6c   ..G.....Y......l
        0090 - d8 b0 3e 2b 28 0c 52 72-af 27 ef c0 10 18 f8 3f   ..>+(.Rr.'.....?
    
        Start Time: 1406827981
        Timeout   : 7200 (sec)
        Verify return code: 18 (self signed certificate)
    ---
    closed
    
    ----------------------------------------------------------------------
      Your private key (domain1.com.key )and CSR code (domain1.com.csr)
      has been generated at:
      /usr/local/nginx/conf/ssl/domain1.com
    total 20K
    drwxr-xr-x 2 root root 4.0K Jul 31 17:33 .
    drwxr-xr-x 3 root root 4.0K Jul 31 17:32 ..
    -rw-r--r-- 1 root root 1.9K Jul 31 17:33 domain1.com.crt
    -rw-r--r-- 1 root root 1.7K Jul 31 17:33 domain1.com.csr
    -rw-r--r-- 1 root root 3.2K Jul 31 17:33 domain1.com.key
    ----------------------------------------------------------------------
    
    
    ---------------------------------------------
    nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
    Reloading nginx:                                           [  OK  ]
    
    ---------------------------------------------
    vhost for domain1.com created successfully
    vhost conf file for domain1.com created: /usr/local/nginx/conf/conf.d/domain1.com.conf
    upload files to /home/nginx/domains/domain1.com/public
    vhost log files directory is /home/nginx/domains/domain1.com/log
    SSL files directory is /usr/local/nginx/conf/ssl/domain1.com
    
    Current vhost listing at: /usr/local/nginx/conf/conf.d/
                          
    Jul 23  04:13   798    ssl.conf
    Jul 23  04:13   1.1K   demodomain.com.conf
    Jul 23  04:13   1.4K   virtual.conf
    Jul 31  17:33   2.7K   domain1.com.conf
    ---------------------------------------------
    nginxssl_gen_vhost_selfsigned_rsakey_4096bit_00.png
     
    Last edited: Aug 1, 2014
  3. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Notice the smaller files with ECC 256 bit vs RSA 2048 bit

    ECC 256 bit
    Code:
    ----------------------------------------------------------------------
      Your private key (domain1.com.key )and CSR code (domain1.com.csr)
      has been generated at:
      /usr/local/nginx/conf/ssl/domain1.com
    total 20K
    drwxr-xr-x 2 root root 4.0K Jul 31 10:22 .
    drwxr-xr-x 3 root root 4.0K Jul 31 10:22 ..
    -rw-r--r-- 1 root root  631 Jul 31 10:22 domain1.com.crt
    -rw-r--r-- 1 root root  452 Jul 31 10:22 domain1.com.csr
    -rw-r--r-- 1 root root  302 Jul 31 10:22 domain1.com.key
    ----------------------------------------------------------------------
    RSA 2048 bit
    Code:
    ----------------------------------------------------------------------
      Your private key (domain1.com.key )and CSR code (domain1.com.csr)
      has been generated at:
      /usr/local/nginx/conf/ssl/domain1.com
    total 20K
    drwxr-xr-x 2 root root 4.0K Jul 31 10:41 .
    drwxr-xr-x 3 root root 4.0K Jul 31 10:41 ..
    -rw-r--r-- 1 root root 1.2K Jul 31 10:41 domain1.com.crt
    -rw-r--r-- 1 root root  997 Jul 31 10:41 domain1.com.csr
    -rw-r--r-- 1 root root 1.7K Jul 31 10:41 domain1.com.key
    ----------------------------------------------------------------------
    RSA 4096 bit
    Code:
    ----------------------------------------------------------------------
      Your private key (domain1.com.key )and CSR code (domain1.com.csr)
      has been generated at:
      /usr/local/nginx/conf/ssl/domain1.com
    total 20K
    drwxr-xr-x 2 root root 4.0K Jul 31 17:33 .
    drwxr-xr-x 3 root root 4.0K Jul 31 17:32 ..
    -rw-r--r-- 1 root root 1.9K Jul 31 17:33 domain1.com.crt
    -rw-r--r-- 1 root root 1.7K Jul 31 17:33 domain1.com.csr
    -rw-r--r-- 1 root root 3.2K Jul 31 17:33 domain1.com.key
    ----------------------------------------------------------------------
    For ECC 256 bit SSL certificate from Comodo, they will provide a ECC 256 bit SSL certificate along with their intermediate and roots which are labelled as ECC on some

    See example of sslspdy.com which is using ECC 256 bit SSL and ECDHE_ECDSA created with ECC 256 bit key algorithm and sha256 signature algorithm
    • Root CA Certificate - AddTrustExternalCARoot.crt
    • Intermediate CA Certificate - COMODOECCAddTrustCA.crt
    • Intermediate CA Certificate - COMODOECCDomainValidationSecureServerCA.crt
    • Your SSL Certificate - sslspdy_com.crt
    Now see community.centminmod.com which is using RSA 2048 bit SSL and ECDHE_RSA created with RSA 2048 bit key algorithm and sha256 signature algorithm
    • Root CA Certificate - AddTrustExternalCARoot.crt
    • Intermediate CA Certificate - COMODORSAAddTrustCA.crt
    • Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
    • Your GGSSL Wildcard SSL - STAR_centminmod_com.crt
     
    Last edited: Aug 15, 2014
  4. rdan

    rdan Well-Known Member

    5,439
    1,397
    113
    May 25, 2014
    Ratings:
    +2,186
    Local Time:
    11:16 AM
    Mainline
    10.2
    What are the company that offer ECC 256 bit ? :)
    Does Rapidssl has?
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    I'll know more in a week or so I hope :D
     
  6. rdan

    rdan Well-Known Member

    5,439
    1,397
    113
    May 25, 2014
    Ratings:
    +2,186
    Local Time:
    11:16 AM
    Mainline
    10.2
    The premium feature :)
    Good luck ;)
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Not related to Forum Premium User features (bundled SSL certificates), but waiting on provider to implement this in their order system (right now it's manually done for ECC based CSR Code/Certificates as it's pretty new type/offering for ECC SSL).

    Also apparently, Internet Explorer version 8 and below don't support ECC SSL so you'd have to take that into consideration. For this forum, IE <=8 only accounts for ~0.322% of all visitors. For Centminmod.com main site IE <=8 accounts for ~0.418% of all visitors and for Ghost node.js blog ~0.155%.

    See world wide browser usage stats now.
    More info at CA Security Council | Benefits of Elliptic Curve Cryptography

    hmm might be better to stick with standard RSA 2048 bit for slower ECC signature verification on slower mobile and tablet devices' processors?
     
    Last edited: Aug 1, 2014
  8. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Setup a test site at sslspdy.com for this using the nginxssl_gen.sh script to create a ECC 256 bit self-signed SSL certificate with sha256 Signature Algorithms as opposed to default sha1. Will switch the site to a commercial SSL certificate once I know exactly which SSL certificates support ECC.

    browser_ecc_ssl_self_signed.png
    ssllabs_self_signed_01.png

    Just switched to a commercial Comodo SSL certificate for testing and from what I've been told at least all Comodo SSL certificates support ECC if you generate the CSR Code with either ECC 256bit key with either sha1 or sha256 signature algorithm (which my above revised Nginx vhost/ssl generator does).

    browser_ecc_ssl_comodo_trial.png
    browser_ecc_ssl_comodo_trial2.png
    browser_ecc_ssl_comodo_trial3.png ssllabs_ecc_ssl_comodo_trial_00.png
    ssllabs_ecc_ssl_comodo_trial_01.png
    ssllabs_ecc_ssl_comodo_trial_02.png
     
    Last edited: Aug 3, 2014
  9. rdan

    rdan Well-Known Member

    5,439
    1,397
    113
    May 25, 2014
    Ratings:
    +2,186
    Local Time:
    11:16 AM
    Mainline
    10.2
    But with this notice:
    This site works only in browsers with SNI support?
     
  10. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    I think that comes up when I have more than one domain with a SPDY/SSL Nginx vhost on the same single IP address as SNI which allows hosting multiple SSL domains on a single IP address will only work with SNI supported browsers which most modern browsers are. If I had separate IP addresses for each SSL based domain, then it wouldn't have shown.
     
  11. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Was curious how much of this forum was made up of WinXP browser traffic to see how much of an negative impact it would have if I implemented ECC 256 Bit SSL certificates on this forum. So I created a custom Google Analytics Dashboard to break down WinXP operating system users by Browser and Browser version :)
    • 4 out of 10,244 sessions are IE <8 + WinXP = 0.039%
    • surprisingly there's alot more WinXP + Chrome (78) or Firefox users (79) and Opera (7)

    ga_dashboard_browser_xp_stats.png
     
  12. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Just working on improving the generator opting for sha256 signature algorithm for both ECC 256 bit and RSA 2048/4096bit generated keys algorithms, csr and private keys etc.

    Tested 2 self-signed generated SSL certificates and CSR files, one 2048bit RSA and one 4096bit RSA. Using Online Symantec CSR tool to confirm that they are indeed using 2048bit and 4096bit key sizes. FYI, CSR code is what you generate to provide to your SSL provider so they can generate your SSL certificates. For folks new to SSL check out SSL - HTTPS as a Google ranking signal | Centmin Mod Community

    domain1_2048bit_rsa_csr_check.png
    domain2_4096bit_rsa_csr_check.png

    Then testing a ECC 256bit key algorithm with SHA256 signature algoritm CSR generated code

    domain3_256bit_ecc_csr_check.png
     
    Last edited: Aug 13, 2014
  13. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  14. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Looks like ECC 256 bit ECDHE_ECDSA might be too new for curl 7.19 default to support, so if you need curl might opt for normal RSA 2048bit instead of ECC 256 bit

    bug in curl Bug 1059682 – Default cipher ordering doesn't include ECDSA ciphers and doesn't follow current best practice

    Code:
    curl -1IsS https://sslspdy.com
    curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).
    
    or use newer curl version 7.37
    Code:
    curl -V
    curl 7.37.1 (x86_64-redhat-linux-gnu) libcurl/7.37.1 NSS/3.15.4 zlib/1.2.7 libidn/1.28 libssh2/1.4.3
    Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
    Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz Metalink
    Code:
    curl -1IsS --ciphers ecdhe_ecdsa_aes_128_sha https://sslspdy.com
    HTTP/1.1 200 OK
    Server: nginx centminmod
    Content-Type: text/html; charset=utf-8
    Connection: keep-alive
    Vary: Accept-Encoding
    Strict-Transport-Security: max-age=31536000
    Date: Tue, 10 Feb 1970 22:32:54 GMT
    X-Page-Speed: 1.8.31.4-4009
    Cache-Control: max-age=0, no-cache
    
     
    Last edited: Aug 14, 2014
  15. Afterward

    Afterward Member

    94
    29
    18
    Jul 20, 2014
    Ratings:
    +29
    Local Time:
    4:16 AM
    1.7.5
    5.5
    Just a newbie question, lets say i have the comodo ssl cert that namecheap offers, in the option to choose either auto generate or setup, what shall i choose exactly?
     
  16. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    You mean options from my 1st post example script, nginxssl_gen.sh ? or from namecheap's own interface ? For mine, if you use SSL then auto generate is the way as you need the private key and CSR codes that are generated. The CSR code is what you provide your SSL provider like namecheap with to create the SSL certificate.

    More info posted on ECC 256 bit vs RSA 2048 bit in general at SSL - ECC 256 bit vs RSA 2048 bit SSL | Centmin Mod Community if folks want to read up :)
     
    Last edited: Aug 15, 2014
  17. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    While messing around with Centmin Mod Nginx and OpenSSL 1.02 beta 3 with chacha20-poly1305 support (more info), had a chance to retest RSA and ECDSA speed on my local Virtualbox server which has faster Intel Core i7 3635QM Quad Core processor (allocated 2 cpu threads for virtual guest server) and the ECDSA and RSA performance numbers are much higher with alot more speed up for ECDSA

    ECDSA 256 bit way ahead in signing performance than RSA 2048 bit on Intel Core i7 3635QM processor. 14788 signs/s versus 917 signs/s = 16.1x times faster !

    Code:
    rsa 2048 bits 0.001090s 0.000034s    917.1  29162.2
    256 bit ecdsa (nistp256)   0.0001s   0.0004s  14788.6   2281.4
    Code:
    OpenSSL 1.0.2-chacha (beta3-dev)
    built on: Thu Aug 14 08:18:24 UTC 2014
    options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
    compiler: ccache gcc -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    chacha20-poly1305    44456.07k   148492.67k   344896.00k   525675.52k   609479.32k
                      sign    verify    sign/s verify/s
    rsa  512 bits 0.000047s 0.000004s  21456.0 258411.7
    rsa 1024 bits 0.000154s 0.000010s   6478.9  96692.8
    rsa 2048 bits 0.001090s 0.000034s    917.1  29162.2
    rsa 4096 bits 0.007866s 0.000125s    127.1   8008.0
                                  sign    verify    sign/s verify/s
    160 bit ecdsa (secp160r1)   0.0000s   0.0002s  45434.0   4587.0
    192 bit ecdsa (nistp192)   0.0000s   0.0003s  32678.5   3783.6
    224 bit ecdsa (nistp224)   0.0000s   0.0004s  27883.0   2634.4
    256 bit ecdsa (nistp256)   0.0001s   0.0004s  14788.6   2281.4
    384 bit ecdsa (nistp384)   0.0001s   0.0009s   7932.5   1074.0
    521 bit ecdsa (nistp521)   0.0003s   0.0020s   3428.5    502.3
    163 bit ecdsa (nistk163)   0.0001s   0.0009s   6949.5   1158.5
    233 bit ecdsa (nistk233)   0.0003s   0.0012s   3137.2    839.0
    283 bit ecdsa (nistk283)   0.0005s   0.0026s   1841.3    383.7
    409 bit ecdsa (nistk409)   0.0014s   0.0056s    716.8    179.9
    571 bit ecdsa (nistk571)   0.0031s   0.0123s    321.0     81.0
    163 bit ecdsa (nistb163)   0.0001s   0.0009s   7534.0   1079.3
    233 bit ecdsa (nistb233)   0.0003s   0.0013s   3299.7    783.8
    283 bit ecdsa (nistb283)   0.0006s   0.0029s   1756.4    347.3
    409 bit ecdsa (nistb409)   0.0014s   0.0063s    727.4    158.9
    571 bit ecdsa (nistb571)   0.0032s   0.0141s    317.0     70.8
    RSA 2048 bit and ECDSA 256 bit combined with chacha20-poly1305 with self-signed SSL certificates for testing only

    nginx_openssl102_chacha20_poly1305_test_rsa_00.png

    nginx_openssl102_chacha20_poly1305_test_ecdsa_00.png

    Implemented OpenSSL 1.0.2 with chacha20-poly1305 on test site at sslspdy.com combined with ECC 256 bit ECDSA

    sslspdy_openssl102chacha20_poly1305_ecdsa_comodo_00.png

    sslspdy_openssl102chacha20_poly1305_ecdsa_comodo_01.png

    sslspdy_openssl102chacha20_poly1305_ecdsa_comodo_02.png

    sslspdy_openssl102chacha20_poly1305_ecdsa_comodo_03.png
     
    Last edited: Aug 24, 2014
  18. Josephm

    Josephm Active Member

    132
    44
    28
    Aug 26, 2014
    Ratings:
    +48
    Local Time:
    10:16 AM
    1.9.5
    10.0.21
  19. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  20. Josephm

    Josephm Active Member

    132
    44
    28
    Aug 26, 2014
    Ratings:
    +48
    Local Time:
    10:16 AM
    1.9.5
    10.0.21
    I guess WinXP could live in 5 years longer :D