Discover Centmin Mod today
Register Now

Beta Branch fix set-misc & nginx stream module incompatibility with boringssl

Discussion in 'Centmin Mod Github Commits' started by eva2000, Aug 19, 2018.

Tags:
  1. eva2000

    eva2000 Administrator Staff Member

    45,974
    10,444
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,206
    Local Time:
    7:05 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  2. eva2000

    eva2000 Administrator Staff Member

    45,974
    10,444
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,206
    Local Time:
    7:05 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    combined with part 2 Beta Branch - fix set-misc & nginx stream module incompatibility boringssl part 2

    allows for

    Code (Text):
    lsof | egrep 'libcrypt|libssl|zlib-cf|pcre|ngx|ndk|jemalloc|librt|libdl|libpthread|libz|libc|libstdc|libm|libfreebl|vdso' | awk '/nginx/ {print $NF}' | awk '!a[$0]++' | grep -v lib64
    /usr/local/lib/libpcre.so.1.2.10
    /usr/local/zlib-cf/lib/libz.so.1.2.8
    /svr-setup/boringssl/.openssl/lib/libssl.so
    /svr-setup/boringssl/.openssl/lib/libcrypto.so
    /usr/local/nginx/modules/ngx_stream_module.so
    /usr/local/nginx/modules/ngx_http_brotli_static_module.so
    /usr/local/nginx/modules/ngx_http_fancyindex_module.so
    /usr/local/nginx/modules/ngx_http_echo_module.so
    /usr/local/nginx/modules/ngx_http_set_misc_module.so
    /usr/local/nginx/modules/ndk_http_module.so
    /usr/local/nginx/modules/ngx_http_headers_more_filter_module.so
    /usr/local/nginx/modules/ngx_http_brotli_filter_module.so
    /usr/local/nginx/modules/ngx_http_image_filter_module.so
    

    will need more testing though probably need to change path of /svr-setup/boringssl/.openssl so folks don't go deleting /svr-setup directory :)
     
    Last edited: Aug 19, 2018
  3. eva2000

    eva2000 Administrator Staff Member

    45,974
    10,444
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,206
    Local Time:
    7:05 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    changed boringssl install directory to /opt/boringssl
    Code (Text):
    lsof | egrep 'libcrypt|libssl|zlib-cf|pcre|ngx|ndk|jemalloc|librt|libdl|libpthread|libz|libc|libstdc|libm|libfreebl|vdso' | awk '/nginx/ {print $NF}' | awk '!a[$0]++' | grep -v lib64
    /usr/local/zlib-cf/lib/libz.so.1.2.8
    /usr/local/lib/libpcre.so.1.2.10
    /opt/boringssl/.openssl/lib/libssl.so
    /opt/boringssl/.openssl/lib/libcrypto.so
    /usr/local/nginx/modules/ngx_stream_module.so
    /usr/local/nginx/modules/ngx_http_brotli_static_module.so
    /usr/local/nginx/modules/ngx_http_fancyindex_module.so
    /usr/local/nginx/modules/ngx_http_echo_module.so
    /usr/local/nginx/modules/ngx_http_set_misc_module.so
    /usr/local/nginx/modules/ndk_http_module.so
    /usr/local/nginx/modules/ngx_http_headers_more_filter_module.so
    /usr/local/nginx/modules/ngx_http_brotli_filter_module.so
    /usr/local/nginx/modules/ngx_http_image_filter_module.so
    

    Code (Text):
    /opt/boringssl/build/tool/bssl speed -filter RSA
    Did 986 RSA 2048 signing operations in 1050509us (938.6 ops/sec)
    Did 34000 RSA 2048 verify (same key) operations in 1009988us (33663.8 ops/sec)
    Did 30000 RSA 2048 verify (fresh key) operations in 1010392us (29691.4 ops/sec)
    Did 130 RSA 4096 signing operations in 1012938us (128.3 ops/sec)
    Did 9647 RSA 4096 verify (same key) operations in 1074233us (8980.4 ops/sec)
    Did 8459 RSA 4096 verify (fresh key) operations in 1028181us (8227.2 ops/sec)
    

    Code (Text):
    /opt/boringssl/build/tool/bssl speed -filter ECDSA
    Did 18000 ECDSA P-224 signing operations in 1038393us (17334.5 ops/sec)
    Did 6942 ECDSA P-224 verify operations in 1001430us (6932.1 ops/sec)
    Did 34000 ECDSA P-256 signing operations in 1027135us (33101.8 ops/sec)
    Did 9999 ECDSA P-256 verify operations in 1068820us (9355.2 ops/sec)
    Did 1595 ECDSA P-384 signing operations in 1047417us (1522.8 ops/sec)
    Did 1496 ECDSA P-384 verify operations in 1046931us (1428.9 ops/sec)
    Did 649 ECDSA P-521 signing operations in 1088881us (596.0 ops/sec)
    Did 583 ECDSA P-521 verify operations in 1064068us (547.9 ops/sec)
    

    Compared to OpenSSL 1.1.1 dev9 master
    Code (Text):
    /opt/openssl-tls1.3/bin/openssl speed -multi 1 rsa2048 ecdsap256
    
    OpenSSL 1.1.1-pre9-dev  xx XXX xxxx
    built on: Sat Aug 18 06:08:41 2018 UTC
    options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
    compiler: ccache gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DNDEBUG
                      sign    verify    sign/s verify/s
    rsa 2048 bits 0.001083s 0.000032s    923.6  31108.1
                                  sign    verify    sign/s verify/s
     256 bits ecdsa (nistp256)   0.0000s   0.0001s  30215.9   9045.8
    

    If i am reading correctly, for 1 cpu thread test
    • BoringSSL RSA 2048bit sign/op per second is ~1.6% faster than OpenSSL 1.1.1-dev9 master
    • BoringSSL RSA 2048bit (fresh) verify/op per second is ~4.55% slower than OpenSSL 1.1.1-dev9 master
    • BoringSSL ECDSA 256bit sign/op per second is ~9.55% faster than OpenSSL 1.1.1-dev9 master
    • BoringSSL ECDSA 256bit verify/op per second is ~3.42% faster than OpenSSL 1.1.1-dev9 master
    Guess BoringSSL is being used by Nginx as OCSP stapling is being ignored/not supported which is expected as BoringSSL removed OCSP stapling support
    Code (Text):
    nginx -t
    nginx: [warn] "ssl_stapling" ignored, not supported
    nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
    

    SSLlabs test also confirms it and with Nginx 1.15.3 master + BoringSSL, TLS 1.3 is there thanks to commit in Nginx 1.15.3 master for SSL: enabled TLSv1.3 with BoringSSL

    currently using old OpenSSL nginx ssl_ciphers preferences

    cmm-nginx-1.15.3-boringssl-ssllabs-00.png

    cmm-nginx-1.15.3-boringssl-ssllabs-01.png