Beta Branch fix set-misc & nginx stream module incompatibility with boringssl

eva2000 · Aug 19, 2018

fix set-misc & nginx stream module incompatibility with boringssl

Fix incompatibility with boringssl crypto library compiled nginx for errors outlined at Beta Branch - more prep work for boringssl routines again part 2

Continue reading...

123.09beta01 branch

Branch: centminmod/centminmod

Commit History: centminmod/centminmod

eva2000 · Aug 19, 2018

combined with part 2 Beta Branch - fix set-misc & nginx stream module incompatibility boringssl part 2

allows for

nginx -V
nginx version: nginx/1.15.3 (180818-232044)
built by gcc 8.2.1 20180817 (GCC)
built with OpenSSL 1.1.0 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
configure arguments: --with-ld-opt='-Wl,-E -L/usr/local/zlib-cf/lib -L/svr-setup/boringssl/.openssl/lib -lcrypto -lssl -L/usr/local/lib -lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/zlib-cf/lib:/svr-setup/boringssl/.openssl/lib:/usr/local/lib' --with-cc-opt='-I/svr-setup/boringssl/.openssl/include -I/usr/local/zlib-cf/include -I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wno-cast-function-type -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=180818-232044 --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.4.2 --add-dynamic-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.32 --add-dynamic-module=../echo-nginx-module-0.61 --add-module=../redis2-nginx-module-0.15 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.33 --with-pcre-jit --with-http_ssl_module --with-http_v2_module
Click to expand...
Code (Text):
lsof | egrep 'libcrypt|libssl|zlib-cf|pcre|ngx|ndk|jemalloc|librt|libdl|libpthread|libz|libc|libstdc|libm|libfreebl|vdso' | awk '/nginx/ {print $NF}' | awk '!a[$0]++' | grep -v lib64
/usr/local/lib/libpcre.so.1.2.10
/usr/local/zlib-cf/lib/libz.so.1.2.8
/svr-setup/boringssl/.openssl/lib/libssl.so
/svr-setup/boringssl/.openssl/lib/libcrypto.so
/usr/local/nginx/modules/ngx_stream_module.so
/usr/local/nginx/modules/ngx_http_brotli_static_module.so
/usr/local/nginx/modules/ngx_http_fancyindex_module.so
/usr/local/nginx/modules/ngx_http_echo_module.so
/usr/local/nginx/modules/ngx_http_set_misc_module.so
/usr/local/nginx/modules/ndk_http_module.so
/usr/local/nginx/modules/ngx_http_headers_more_filter_module.so
/usr/local/nginx/modules/ngx_http_brotli_filter_module.so
/usr/local/nginx/modules/ngx_http_image_filter_module.so
will need more testing though probably need to change path of /svr-setup/boringssl/.openssl so folks don't go deleting /svr-setup directory

eva2000 · Aug 19, 2018

changed boringssl install directory to /opt/boringssl

nginx -V
nginx version: nginx/1.15.3 (190818-000645)
built by gcc 8.2.1 20180817 (GCC)
built with OpenSSL 1.1.0 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
configure arguments: --with-ld-opt='-Wl,-E -L/usr/local/zlib-cf/lib -L/opt/boringssl/.openssl/lib -lcrypto -lssl -L/usr/local/lib -lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/zlib-cf/lib:/opt/boringssl/.openssl/lib:/usr/local/lib' --with-cc-opt='-I/opt/boringssl/.openssl/include -I/usr/local/zlib-cf/include -I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wno-cast-function-type -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=190818-000645 --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.4.2 --add-dynamic-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.32 --add-dynamic-module=../echo-nginx-module-0.61 --add-module=../redis2-nginx-module-0.15 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.33 --with-pcre-jit --with-http_ssl_module --with-http_v2_module
Click to expand...
Code (Text):
lsof | egrep 'libcrypt|libssl|zlib-cf|pcre|ngx|ndk|jemalloc|librt|libdl|libpthread|libz|libc|libstdc|libm|libfreebl|vdso' | awk '/nginx/ {print $NF}' | awk '!a[$0]++' | grep -v lib64
/usr/local/zlib-cf/lib/libz.so.1.2.8
/usr/local/lib/libpcre.so.1.2.10
/opt/boringssl/.openssl/lib/libssl.so
/opt/boringssl/.openssl/lib/libcrypto.so
/usr/local/nginx/modules/ngx_stream_module.so
/usr/local/nginx/modules/ngx_http_brotli_static_module.so
/usr/local/nginx/modules/ngx_http_fancyindex_module.so
/usr/local/nginx/modules/ngx_http_echo_module.so
/usr/local/nginx/modules/ngx_http_set_misc_module.so
/usr/local/nginx/modules/ndk_http_module.so
/usr/local/nginx/modules/ngx_http_headers_more_filter_module.so
/usr/local/nginx/modules/ngx_http_brotli_filter_module.so
/usr/local/nginx/modules/ngx_http_image_filter_module.so
Code (Text):
/opt/boringssl/build/tool/bssl speed -filter RSA
Did 986 RSA 2048 signing operations in 1050509us (938.6 ops/sec)
Did 34000 RSA 2048 verify (same key) operations in 1009988us (33663.8 ops/sec)
Did 30000 RSA 2048 verify (fresh key) operations in 1010392us (29691.4 ops/sec)
Did 130 RSA 4096 signing operations in 1012938us (128.3 ops/sec)
Did 9647 RSA 4096 verify (same key) operations in 1074233us (8980.4 ops/sec)
Did 8459 RSA 4096 verify (fresh key) operations in 1028181us (8227.2 ops/sec)
Code (Text):
/opt/boringssl/build/tool/bssl speed -filter ECDSA
Did 18000 ECDSA P-224 signing operations in 1038393us (17334.5 ops/sec)
Did 6942 ECDSA P-224 verify operations in 1001430us (6932.1 ops/sec)
Did 34000 ECDSA P-256 signing operations in 1027135us (33101.8 ops/sec)
Did 9999 ECDSA P-256 verify operations in 1068820us (9355.2 ops/sec)
Did 1595 ECDSA P-384 signing operations in 1047417us (1522.8 ops/sec)
Did 1496 ECDSA P-384 verify operations in 1046931us (1428.9 ops/sec)
Did 649 ECDSA P-521 signing operations in 1088881us (596.0 ops/sec)
Did 583 ECDSA P-521 verify operations in 1064068us (547.9 ops/sec)
Compared to OpenSSL 1.1.1 dev9 master
Code (Text):
/opt/openssl-tls1.3/bin/openssl speed -multi 1 rsa2048 ecdsap256

OpenSSL 1.1.1-pre9-dev  xx XXX xxxx
built on: Sat Aug 18 06:08:41 2018 UTC
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: ccache gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DNDEBUG
                  sign    verify    sign/s verify/s
rsa 2048 bits 0.001083s 0.000032s    923.6  31108.1
                              sign    verify    sign/s verify/s
 256 bits ecdsa (nistp256)   0.0000s   0.0001s  30215.9   9045.8
If i am reading correctly, for 1 cpu thread test

BoringSSL RSA 2048bit sign/op per second is ~1.6% faster than OpenSSL 1.1.1-dev9 master

BoringSSL RSA 2048bit (fresh) verify/op per second is ~4.55% slower than OpenSSL 1.1.1-dev9 master

BoringSSL ECDSA 256bit sign/op per second is ~9.55% faster than OpenSSL 1.1.1-dev9 master

BoringSSL ECDSA 256bit verify/op per second is ~3.42% faster than OpenSSL 1.1.1-dev9 master

Guess BoringSSL is being used by Nginx as OCSP stapling is being ignored/not supported which is expected as BoringSSL removed OCSP stapling support
Code (Text):
nginx -t
nginx: [warn] "ssl_stapling" ignored, not supported
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
SSLlabs test also confirms it and with Nginx 1.15.3 master + BoringSSL, TLS 1.3 is there thanks to commit in Nginx 1.15.3 master for SSL: enabled TLSv1.3 with BoringSSL

currently using old OpenSSL nginx ssl_ciphers preferences

Log in / Register

Forums

Join the community today

Beta Branch fix set-misc & nginx stream module incompatibility with boringssl

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Join the community today

Beta Branch fix set-misc & nginx stream module incompatibility with boringssl

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.