Learn about Centmin Mod LEMP Stack today
Become a Member

SSL CHACHACIPHERS as default ssl_ciphers

Discussion in 'Centmin Mod Insights' started by bassie, Aug 7, 2016.

  1. bassie

    bassie Active Member

    491
    103
    43
    Apr 29, 2016
    Ratings:
    +310
    Local Time:
    5:49 AM
    Centminmod Nginx uses the CHACHA20-POLY1305 for desktop and mobile devices as default ssl_cipher. Why?

    AES supported hardware is available since 2008.
     
  2. eva2000

    eva2000 Administrator Staff Member

    28,929
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    1:49 PM
    Nginx 1.13.x
    MariaDB 5.5
    I don't have sepcific control over it purely because LibreSSL is default for Nginx and LibreSSL doesn't have mechanism to do what Cloudflare's openssl patch for chacha20 does and that is only serve chacha20 to mobile devices and not desktop. If you want chacha20 only over mobile and not desktop, just switch Nginx from LibreSSL defaults to OpenSSL via persistent config file /etc/centminmod/custom_config.inc and set
    Code (Text):
    LIBRESSL_SWITCH='n'
    

    then run centmin.sh menu option 4 to recompile Nginx with OpenSSL 1.0.2h+ support and it will auto patch OpenSSL with Cloudflare chacha20 patch :)

    FYI, chacha20 mobile only is a feature of Cloudflare's chacha20 patch which Centmin Mod Nginx integrates and IIRC Cloudflare patch only is for 64bit systems. Standard OpenSSL 1.0.x doesn't even support chacha20 :)