Join the community today
Register Now

Nginx HTTP/2 + SPDY PATCH for NGINX 1.10 + NGINX 1.11

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by buik, Jun 2, 2016.

  1. buik

    buik “Winners never quit, and quitters never win.” Premium Member

    1,276
    343
    83
    Apr 29, 2016
    Ratings:
    +1,032
    Local Time:
    2:36 PM
    You could use:

    Beta Branch - add NGINX_SPDYPATCHED variable support 123.09beta01 | Centmin Mod Community

    If you want to do it by yourself.
    Here's some reference material:

    Install and Compile "Nginx 1.10.0" (Stable Release) from Sources in RHEL/CentOS 7.0
    How To Compile Nginx from Source on a CentOS 6.4 x64 VPS | DigitalOcean
     
    Last edited: Jun 22, 2016
  2. eva2000

    eva2000 Administrator Staff Member

    44,491
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,728
    Local Time:
    10:36 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    tried both versions of patch on centmin mod nginx and both fail at same place

    Code (Text):
    c/http/modules/ngx_http_ssl_module.c:445:5: error: expected statement
        }
        ^
    1 error generated.
    make[1]: *** [objs/src/http/modules/ngx_http_ssl_module.o] Error 1
    make[1]: *** Waiting for unfinished jobs....
    make[1]: Leaving directory `/svr-setup/nginx-1.11.1'
    make: *** [build] Error 2


    details Beta Branch - add NGINX_SPDYPATCHED variable support 123.09beta01 | Centmin Mod Community
     
  3. eva2000

    eva2000 Administrator Staff Member

    44,491
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,728
    Local Time:
    10:36 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  4. eva2000

    eva2000 Administrator Staff Member

    44,491
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,728
    Local Time:
    10:36 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Doing live testing of Centmin Mod 123.09beta01's Nginx 1.11.1 with HTTP/2 + SPDY patch at sslspdy.com
    Code (Text):
    echo QUIT | openssl s_client -connect sslspdy.com:443 -nextprotoneg ' ' 2>&1 | grep 'Protocols advertised'
    Protocols advertised by server: h2, spdy/3.1, http/1.1

    is-http2 tool test
    Code (Text):
    is-http2 https://sslspdy.com
    ✓ HTTP/2 supported by https://sslspdy.com
    Supported protocols: h2 spdy/3.1 http/1.1
    

    curl
    Code (Text):
    curl -Ivs https://sslspdy.com
    * Rebuilt URL to: https://sslspdy.com/
    *   Trying 192.184.89.66...
    * Connected to sslspdy.com (192.184.89.66) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    

    nghttp2 client
    Code (Text):
     nghttp -nav https://sslspdy.com   
    [  0.109] Connected
    The negotiated protocol: h2
    [  0.252] send SETTINGS frame <length=12, flags=0x00, stream_id=0>
              (niv=2)
              [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100]
              [SETTINGS_INITIAL_WINDOW_SIZE(0x04):65535]

    testssl test - notice the protocol's tested include spdy/3.1 and NPN and h2
    Code (Text):
    testssl https://sslspdy.com
    
    ###########################################################
        testssl       2.7dev from https://testssl.sh/dev/
        (1.502 2016/06/15 19:31:09)
    
          This program is free software. Distribution and
                 modification under GPLv2 permitted.
          USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
    
           Please file bugs @ https://testssl.sh/bugs/
    
    ###########################################################
    Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2)
    
    SSLv2      not offered (OK)
    SSLv3      not offered (OK)
    TLS 1      offered
    TLS 1.1    offered
    TLS 1.2    offered (OK)
    SPDY/NPN   h2, spdy/3.1, http/1.1 (advertised)
    HTTP2/ALPN h2, spdy/3.1, http/1.1 (offered)
    
    Testing ~standard cipher lists
    
    Null Ciphers                 not offered (OK)
    Anonymous NULL Ciphers       not offered (OK)
    Anonymous DH Ciphers         not offered (OK)
    40 Bit encryption            not offered (OK)
    56 Bit encryption            not offered (OK)
    Export Ciphers (general)     not offered (OK)
    Low (<=64 Bit)               not offered (OK)
    DES Ciphers                  not offered (OK)
    Medium grade encryption      not offered (OK)
    Triple DES Ciphers           not offered (OK)
    High grade encryption        offered (OK)
    
    
    Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption as well as 3DES and RC4 here
    
    PFS is offered (OK)  ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA
    
    
    Testing server preferences
    
    Has server cipher order?     yes (OK)
    Negotiated protocol          TLSv1.2
    Negotiated cipher            OLD-ECDHE-ECDSA-CHACHA20-POLY1305, 256 bit ECDH
    Cipher order
        TLSv1:     ECDHE-ECDSA-AES128-SHA
        TLSv1.1:   ECDHE-ECDSA-AES128-SHA
        TLSv1.2:   OLD-ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA
        h2:        OLD-ECDHE-ECDSA-CHACHA20-POLY1305
        spdy/3.1:  OLD-ECDHE-ECDSA-CHACHA20-POLY1305
        http/1.1:  OLD-ECDHE-ECDSA-CHACHA20-POLY1305
    
    
    Testing server defaults (Server Hello)
    
    TLS extensions (standard)    "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "status request/#5" "next protocol/#13172"
    Session Tickets RFC 5077     600 seconds (PFS requires session ticket keys to be rotated <= daily)
    SSL Session ID support       yes
    TLS clock skew               random values, no fingerprinting possible
    Signature Algorithm          ECDSA with SHA256
    Server key size              ECDSA 256 bits
    Fingerprint / Serial         SHA1 155AA462E9EBFC2C608D18AB83DD32C17245C89A / 6F2CECA22E73F3FFA5266435705B5390
                                  SHA256 91A3930E8F38C7B1EBBC265953B8773E888544BD7C45F5A6927AF50D80D31C11
    Common Name (CN)             "*.sslspdy.com" (wildcard certificate match) (works w/o SNI)
    subjectAltName (SAN)         "*.sslspdy.com" "sslspdy.com"
    Issuer                       "COMODO ECC Domain Validation Secure Server CA" ("COMODO CA Limited" from "GB")
    EV cert (experimental)       no
    Certificate Expiration       123 >= 60 days (2014-10-24 00:00 --> 2016-10-23 23:59 +0000)
    # of certificates provided   3
    Chain of trust (experim.)    "/usr/bin/etc/*.pem" cannot be found / not readable
    Certificate Revocation List  http://crl.comodoca.com/COMODOECCDomainValidationSecureServerCA.crl
    OCSP URI                     http://ocsp.comodoca.com
    OCSP stapling                offered
    
    
    Testing HTTP header response @ "/"
    
    HTTP Status Code             200 OK
    HTTP clock skew              -1464583848 sec from localtime
    Strict Transport Security    365 days=31536000 s, includeSubDomains
    Public Key Pinning           # of keys: 2, 604800 s = 7 days (<30 days is not good enough), includeSubDomains
                                  matching host key: QYBZo54E74EGPmprgubrqe39L01K0kkNQBfJ6hRFUyE
    Server banner                nginx centminmod
    Application banner           X-Powered-By: centminmod
    Cookie(s)                    (none issued at "/")
    Security headers             --
    Reverse Proxy banner         --
    
    
    Testing vulnerabilities
    
    Heartbleed (CVE-2014-0160)                not vulnerable (OK) (no heartbeat extension)
    CCS (CVE-2014-0224)                       not vulnerable (OK)
    Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
    Secure Client-Initiated Renegotiation     not vulnerable (OK)
    CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
    BREACH (CVE-2013-3587)                    potentially NOT ok, uses gzip HTTP compression. - only supplied "/" tested
                                               Can be ignored for static pages or if no secrets in the page
    POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
    TLS_FALLBACK_SCSV (RFC 7507), experim.    Downgrade attack prevention supported (OK)
    FREAK (CVE-2015-0204)                     not vulnerable (OK)
    DROWN (2016-0800, CVE-2016-0703), exper.  not vulnerable on this port (OK)
                                               make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                               https://censys.io/ipv4?q=91A3930E8F38C7B1EBBC265953B8773E888544BD7C45F5A6927AF50D80D31C11 could help you to find out
    LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK), common primes not checked. See below for any DH ciphers + bit size
    BEAST (CVE-2011-3389)                     TLS1: ECDHE-ECDSA-AES128-SHA
                                               VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
    RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)
    
    
    Testing all 183 locally available ciphers against the server, ordered by encryption strength
    
    Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.  Encryption Bits
    ------------------------------------------------------------------------
    xcc14   OLD-ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 256   ChaCha20  256     
    xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 256   AESGCM    256     
    xc024   ECDHE-ECDSA-AES256-SHA384         ECDH 256   AES       256     
    xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 256   AESGCM    128     
    xc023   ECDHE-ECDSA-AES128-SHA256         ECDH 256   AES       128     
    xc009   ECDHE-ECDSA-AES128-SHA            ECDH 256   AES       128     
    
    
    Running browser simulations (experimental)
    
    Android 2.3.7                 No connection
    Android 4.0.4                 TLSv1 ECDHE-ECDSA-AES128-SHA
    Android 4.1.1                 TLSv1 ECDHE-ECDSA-AES128-SHA
    Android 4.2.2                 TLSv1 ECDHE-ECDSA-AES128-SHA
    Android 4.3                   TLSv1.0 ECDHE-ECDSA-AES128-SHA
    Android 4.4.2                 TLSv1.1 ECDHE-ECDSA-AES128-SHA
    Android 5.0.0                 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
    Baidu Jan 2015                TLSv1 ECDHE-ECDSA-AES128-SHA
    BingPreview Jan 2015          TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    Chrome 47 / OSX               TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
    Firefox 31.3.0ESR / Win7      TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
    Firefox 42 / OSX              TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
    GoogleBot Feb 2015            TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
    IE6 / XP                      No connection
    IE7 / Vista                   TLSv1.0 ECDHE-ECDSA-AES128-SHA
    IE8 / XP                      No connection
    IE8-10 / Win7                 TLSv1.0 ECDHE-ECDSA-AES128-SHA
    IE11 / Win7                   TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    IE11 / Win8.1                 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    IE10 / Win Phone 8.0          TLSv1.0 ECDHE-ECDSA-AES128-SHA
    IE11 / Win Phone 8.1          TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    IE11 / Win Phone 8.1 Update   TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    IE11 / Win10                  TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    Edge 13 / Win10               TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    Edge 12 / Win Phone 10        TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    Java 6u45                     No connection
    Java 7u25                     TLSv1 ECDHE-ECDSA-AES128-SHA
    Java 8u31                     TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
    OpenSSL 0.9.8y                No connection
    OpenSSL 1.0.1l                TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    OpenSSL 1.0.2e                TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    Safari 5.1.9/ OSX 10.6.8      TLSv1 ECDHE-ECDSA-AES128-SHA
    Safari 6 / iOS 6.0.1          TLSv1.2 ECDHE-ECDSA-AES128-SHA256
    Safari 6.0.4/ OS X 10.8.4     TLSv1 ECDHE-ECDSA-AES128-SHA
    Safari 7 / iOS 7.1            TLSv1.2 ECDHE-ECDSA-AES128-SHA256
    Safari 7 / OS X 10.9          TLSv1.2 ECDHE-ECDSA-AES128-SHA256
    Safari 8 / iOS 8.4            TLSv1.2 ECDHE-ECDSA-AES128-SHA256
    Safari 8 / OS X 10.10         TLSv1.2 ECDHE-ECDSA-AES128-SHA256
    Safari 9 / iOS 9              TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    Safari 9 / OS X 10.11         TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    

    SSLLabs test reports NPN and SPDY/3.1 support + ALPN and HTTP/2 support

    sslspdycom-spdy-http2-patch-ssllabs-01.png
    sslspdycom-spdy-http2-patch-ssllabs-02.png
     
    Last edited: Jun 23, 2016