Learn about Centmin Mod LEMP Stack today
Register Now

SSL Improper ciphers on this site

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Floren, Feb 9, 2015.

  1. Floren

    Floren Active Member

    148
    77
    28
    Jun 6, 2014
    Ratings:
    +77
    Local Time:
    9:12 AM
    I fixed the issue, the Intel patch was forcing to use CHACHA20 only if it was client's most preferred cipher (Android 5.0.0). Removing that conditional reverted everything to normal cipher use behavior.
    SSL Server Test: axivo.com (Powered by Qualys SSL Labs)

    BTW, the CHACHA/POLY source code you linked above is deprecated (was released by Adam Langley in 2013), I recommend you to look at BoringSSL code for a proper implementation.
     
    • Like Like x 1
  2. eva2000

    eva2000 Administrator Staff Member

    40,190
    8,888
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,698
    Local Time:
    11:12 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    yup working on your site now

    indeed interesting indeed Replacing ChaCha20/Poly1305: a new owner | On Web Security

    The work Flow of the Full-Featured openssl Fork (ChaCha20/Poly1305) | On Web Security

     
  3. eva2000

    eva2000 Administrator Staff Member

    40,190
    8,888
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,698
    Local Time:
    11:12 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    @Floren curious about performance ?

    Code:
    openssl speed chacha20-poly1305 -multi 8
     
  4. Floren

    Floren Active Member

    148
    77
    28
    Jun 6, 2014
    Ratings:
    +77
    Local Time:
    9:12 AM
    Take a look at Intel patches, for a proper implementation of CHACHA/POLY in OpenSSL. I used portions of Vlad's code on AXIVO release, Take a look at this thread, for recent Intel's enhancements:
    Login
     
  5. Floren

    Floren Active Member

    148
    77
    28
    Jun 6, 2014
    Ratings:
    +77
    Local Time:
    9:12 AM
    RHEL6 on a fairly old processor:
    Code:
    [[email protected] ~]# dmidecode -t processor
    # dmidecode 2.12
    SMBIOS 2.5 present.
    
    Handle 0x0004, DMI type 4, 40 bytes
    Processor Information
        Socket Designation: CPU 1
        Type: Central Processor
        Family: Core i7
        Manufacturer: Intel           
        ID: A5 06 01 00 FF FB EB BF
        Signature: Type 0, Family 6, Model 26, Stepping 5
        Flags:
            FPU (Floating-point unit on-chip)
            VME (Virtual mode extension)
            DE (Debugging extension)
            PSE (Page size extension)
            TSC (Time stamp counter)
            MSR (Model specific registers)
            PAE (Physical address extension)
            MCE (Machine check exception)
            CX8 (CMPXCHG8 instruction supported)
            APIC (On-chip APIC hardware supported)
            SEP (Fast system call)
            MTRR (Memory type range registers)
            PGE (Page global enable)
            MCA (Machine check architecture)
            CMOV (Conditional move instruction supported)
            PAT (Page attribute table)
            PSE-36 (36-bit page size extension)
            CLFSH (CLFLUSH instruction supported)
            DS (Debug store)
            ACPI (ACPI supported)
            MMX (MMX technology supported)
            FXSR (FXSAVE and FXSTOR instructions supported)
            SSE (Streaming SIMD extensions)
            SSE2 (Streaming SIMD extensions 2)
            SS (Self-snoop)
            HTT (Multi-threading)
            TM (Thermal monitor supported)
            PBE (Pending break enabled)
        Version: Intel(R) Core(TM) i7 CPU         920  @ 2.67GHz   
        Voltage: Unknown
        External Clock: 133 MHz
        Max Speed: 2666 MHz
        Current Speed: 2666 MHz
        Status: Populated, Enabled
        Upgrade: Other
        L1 Cache Handle: 0x0005
        L2 Cache Handle: 0x0006
        L3 Cache Handle: 0x0007
        Serial Number: To Be Filled By O.E.M.
        Asset Tag: To Be Filled By O.E.M.
        Part Number: To Be Filled By O.E.M.
        Core Count: 4
        Core Enabled: 4
        Thread Count: 8
        Characteristics:
            64-bit capable
    
    [[email protected] ~]# openssl speed chacha20-poly1305 -multi 8
    Forked child 0
    Forked child 1
    +DT:chacha20-poly1305:3:16
    Forked child 2
    Forked child 3
    +DT:chacha20-poly1305:3:16
    +DT:chacha20-poly1305:3:16
    Forked child 4
    +DT:chacha20-poly1305:3:16
    Forked child 5
    +DT:chacha20-poly1305:3:16
    Forked child 6
    Forked child 7
    +DT:chacha20-poly1305:3:16
    +DT:chacha20-poly1305:3:16
    +DT:chacha20-poly1305:3:16
    +R:1983454:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:64
    +R:1983052:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:64
    +R:1985380:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:64
    +R:1984584:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:64
    +R:1983558:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:64
    +R:1982396:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:64
    +R:1986482:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:64
    +R:1984387:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:64
    +R:1778853:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:256
    +R:1779222:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:256
    +R:1774976:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:256
    +R:1778170:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:256
    +R:1778895:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:256
    +R:1778783:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:256
    +R:1775181:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:256
    +R:1778115:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:256
    +R:708226:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:1024
    +R:707365:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:1024
    +R:707684:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:1024
    +R:708672:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:1024
    +R:708202:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:1024
    +R:707209:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:1024
    +R:708234:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:1024
    +R:708640:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:1024
    +R:245667:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:8192
    +R:244265:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:8192
    +R:245648:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:8192
    +R:246129:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:8192
    +R:245677:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:8192
    +R:244206:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:8192
    +R:245783:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:8192
    +R:246115:chacha20-poly1305:3.000000
    +DT:chacha20-poly1305:3:8192
    +R:34430:chacha20-poly1305:3.000000
    +R:34508:chacha20-poly1305:3.000000
    +R:34474:chacha20-poly1305:3.000000
    +R:34569:chacha20-poly1305:3.000000
    +R:34433:chacha20-poly1305:3.000000
    +R:34499:chacha20-poly1305:3.000000
    Got: +H:16:64:256:1024:8192 from 0
    Got: +F:30:chacha20-poly1305:10578421.33:37948864.00:60435285.33:83854336.00:94016853.33 from 0
    +R:34612:chacha20-poly1305:3.000000
    +R:34683:chacha20-poly1305:3.000000
    Got: +H:16:64:256:1024:8192 from 1
    Got: +F:30:chacha20-poly1305:10576277.33:37956736.00:60361813.33:83375786.67:94229845.33 from 1
    Got: +H:16:64:256:1024:8192 from 2
    Got: +F:30:chacha20-poly1305:10588693.33:37866154.67:60389034.67:83847850.67:94137002.67 from 2
    Got: +H:16:64:256:1024:8192 from 3
    Got: +F:30:chacha20-poly1305:10584448.00:37934293.33:60473344.00:84012032.00:94396416.00 from 3
    Got: +H:16:64:256:1024:8192 from 4
    Got: +F:30:chacha20-poly1305:10578976.00:37949760.00:60433237.33:83857749.33:94025045.33 from 4
    Got: +H:16:64:256:1024:8192 from 5
    Got: +F:30:chacha20-poly1305:10572778.67:37947370.67:60348501.33:83355648.00:94205269.33 from 5
    Got: +H:16:64:256:1024:8192 from 6
    Got: +F:30:chacha20-poly1305:10594570.67:37870528.00:60435968.00:83893930.67:94513834.67 from 6
    Got: +H:16:64:256:1024:8192 from 7
    Got: +F:30:chacha20-poly1305:10583397.33:37933120.00:60470613.33:84007253.33:94707712.00 from 7
    OpenSSL 1.0.2a-fips 19 Mar 2015
    built on: reproducible build, date unspecified
    options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
    compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O3 -g -mmmx -msse3 -mfpmath=sse -Wa,--noexecstack -fomit-frame-pointer -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DCHAPOLY_x86_64_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
    chacha20-poly1305    84657.56k   303406.83k   483347.80k   670204.59k   754231.98k
    
    
     
    • Like Like x 1
  6. eva2000

    eva2000 Administrator Staff Member

    40,190
    8,888
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,698
    Local Time:
    11:12 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    ah

    no longer have access to SYS/OVH E3-1245v2 ?

    yeah came across that too.. definitely look into it when i have more time
     
  7. Floren

    Floren Active Member

    148
    77
    28
    Jun 6, 2014
    Ratings:
    +77
    Local Time:
    9:12 AM
    I run my online site on one of their really old OVH servers, KS2. You want stats on that?
     
  8. eva2000

    eva2000 Administrator Staff Member

    40,190
    8,888
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,698
    Local Time:
    11:12 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    I see, that's okay. Could sworn I remember you had a E3-1245v2 heh
     
  9. rdan

    rdan Well-Known Member

    4,545
    1,088
    113
    May 25, 2014
    Ratings:
    +1,588
    Local Time:
    9:12 PM
    Mainline
    10.2
    Can you share you final cipher list Floren? :)
     
..