Welcome to Centmin Mod Community
Register Now

OpenSSL [NEW PATCH]Prioritize ChaCha feature - OpenSSL 1.1.1

Discussion in 'CentOS, Redhat & Oracle Linux News' started by buik, Oct 1, 2018.

  1. buik

    buik “The best traveler is one without a camera.”

    2,027
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,675
    Local Time:
    6:41 PM
    The OpenSSL team has issued their version of "Prioritize ChaCha" at the release of OpenSSL 1.1.1.
    However OpenSSL prioritize ChaCha won't be implemented by the Nginx team as they have classified it as: "this "feature" looks more like a hack".

    As can be reviewed here: #1445 (OpenSSL - ChaCha prioritized - Nginx enhancement) – nginx


    With this patch you still could use the prioritize ChaCha feature.
    No additional Nginx settings are required.

    For example: Even if Chacha is the last in the line.
    It will still be selected if the client has ChaCha first(i.e. Android 7), and ssl_prefer_server_ciphers is used.

    Prioritize ChaCha feature - OpenSSL 1.1.1 patch
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,884
    12,240
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,811
    Local Time:
    3:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    sweet thanks for sharing so is this your own patch or it's sourced from somewhere ? citations ? :)
     
  3. buik

    buik “The best traveler is one without a camera.”

    2,027
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,675
    Local Time:
    6:41 PM
    Own simple patch with a few deleted upstream words.
    Not that hard to create.
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,884
    12,240
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,811
    Local Time:
    3:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Ok so can refer to it as the bassie OpenSSL 1.1.1 Prioritize ChaCha20 patch :D
     
  5. buik

    buik “The best traveler is one without a camera.”

    2,027
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,675
    Local Time:
    6:41 PM
    Refer to whatever you want.
     
  6. eva2000

    eva2000 Administrator Staff Member

    54,884
    12,240
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,811
    Local Time:
    3:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    checking out your patch now
    logs
    Code (Text):
    log files saved at /root/centminlogs
    -rw-r--r--  1 root root  2.3K Oct  1 00:50 patch_opensslpatches_011018-005016.log
    -rw-r--r--  1 root root    44 Oct  1 00:51 centminmod_opensslinstalltime_011018-005016.log
    -rw-r--r--  1 root root  2.7K Oct  1 00:51 patch_patchnginx_011018-005016.log
    -rw-r--r--  1 root root  8.3K Oct  1 00:52 nginx-configure-011018-005016.log
    -rw-r--r--  1 root root   28K Oct  1 00:52 nginx_autoconf.err.011018-005016.log
    -rw-r--r--  1 root root  2.4M Oct  1 00:52 centminmod_123.09beta01.b061_011018-005016_nginx_upgrade.log
    

    patch_opensslpatches log - your patch is the last of the 4 enabled via persistent config file /etc/centminmod/custom_config.inc set variable prior to centmin.sh menu option 4 nginx compile run
    Code (Text):
    PRIORITIZE_CHACHA_OPENSSL='y'
    

    Code (Text):
    cat /root/centminlogs/patch_opensslpatches_011018-005016.log
    
    ######################################################################
    Patching OpenSSL 1.1.1
    ######################################################################
    Fix OpenSSL 1.1.1 broken SNI handshake patch
    https://github.com/openssl/openssl/issues/7244
    ######################################################################
    /svr-setup/openssl-1.1.1 /svr-setup/openssl-1.1.1
    patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL-1.1.1-sni-fix-delay-sig-algs.patch
    patching file ssl/statem/statem_srvr.c
    patching file test/sslapitest.c
    patching file test/ssltestlib.c
    patching file test/sslapitest.c
    /svr-setup/openssl-1.1.1
    
    
    ######################################################################
    Patching OpenSSL 1.1.1
    ######################################################################
    Reset TLS 1.3 ciphers in SSL_CTX_set_ssl_version() patch
    https://github.com/openssl/openssl/issues/7226
    ######################################################################
    /svr-setup/openssl-1.1.1 /svr-setup/openssl-1.1.1
    patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL-1.1.1-reset-tls1.3-ciphers-SSL_CTX_set_ssl_version.patch
    patching file ssl/ssl_lib.c
    /svr-setup/openssl-1.1.1
    
    
    ######################################################################
    Patching OpenSSL 1.1.1
    ######################################################################
    Fix the max psk len for TLSv1.3 patch
    https://github.com/openssl/openssl/issues/7261
    ######################################################################
    /svr-setup/openssl-1.1.1 /svr-setup/openssl-1.1.1
    patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL-1.1.1-tls13-fix-max-psk-len.patch
    patching file ssl/ssl_locl.h
    /svr-setup/openssl-1.1.1
    
    
    ######################################################################
    Patching OpenSSL 1.1.1
    ######################################################################
    bassie OpenSSL 1.1.1 Prioritize Chacha20 patch
    https://community.centminmod.com/threads/15708/
    ######################################################################
    /svr-setup/openssl-1.1.1 /svr-setup/openssl-1.1.1
    patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL1.1.1-prioritize-chacha-feature.patch
    patching file ssl/s3_lib.c
    /svr-setup/openssl-1.1.1
    


    but dev.ssllabs.com not showing chacha20 cipher selection for Android 7 ? does nginx ssl_ciphers order matter for this patch ?

    upload_2018-10-1_11-0-52.png

    adjusting the nginx vhost ssl_ciphers slightly as was missing TLS 1.2 CHACHA20 ciphers to below
    Code (Text):
    ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
    


    that worked :)

    but seems more clients use CHACHA20 ciphers is that intended right with your patch ?

    upload_2018-10-1_11-18-27.png

    upload_2018-10-1_11-17-55.png
    or should I place CHACHA20 TLS 1.2 ciphers further down the list for ssl_ciphers order ?

    looks like need to reorder TLS 1.2 CHAHA20 ciphers

    Code (Text):
    ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
    

    Now as expected only Android 7 with chacha20 at the top of it's client preference list uses ChaCha20 ciphers with your patch :)
    upload_2018-10-1_11-25-47.png
     
    Last edited: Oct 1, 2018
  7. eva2000

    eva2000 Administrator Staff Member

    54,884
    12,240
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,811
    Local Time:
    3:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+