OpenSSL [NEW PATCH]Prioritize ChaCha feature - OpenSSL 1.1.1

buik · Oct 1, 2018

The OpenSSL team has issued their version of "Prioritize ChaCha" at the release of OpenSSL 1.1.1.
However OpenSSL prioritize ChaCha won't be implemented by the Nginx team as they have classified it as: "this "feature" looks more like a hack".

As can be reviewed here: #1445 (OpenSSL - ChaCha prioritized - Nginx enhancement) – nginx

With this patch you still could use the prioritize ChaCha feature.
No additional Nginx settings are required.

For example: Even if Chacha is the last in the line.
It will still be selected if the client has ChaCha first(i.e. Android 7), and ssl_prefer_server_ciphers is used.

EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+CHACHA20:EECDH+CHACHA20-draft:!MD5;
Click to expand...

Prioritize ChaCha feature - OpenSSL 1.1.1 patch

eva2000 · Oct 1, 2018

sweet thanks for sharing so is this your own patch or it's sourced from somewhere ? citations ?

buik · Oct 1, 2018

Own simple patch with a few deleted upstream words.
Not that hard to create.

eva2000 · Oct 1, 2018

Ok so can refer to it as the bassie OpenSSL 1.1.1 Prioritize ChaCha20 patch

buik · Oct 1, 2018

eva2000 said: ↑

Ok so can refer to it as the bassie OpenSSL 1.1.1 Prioritize ChaCha20 patch
Click to expand...

Refer to whatever you want.

eva2000 · Oct 1, 2018

bassie said: ↑

With this patch you still could use the prioritize ChaCha feature.
No additional Nginx settings are required.

For example: Even if Chacha is the last in the line.
It will still be selected if the client has ChaCha first(i.e. Android 7), and ssl_prefer_server_ciphers is used.
Click to expand...

checking out your patch now

nginx -V
nginx version: nginx/1.15.4 (011018-005151)
built by gcc 8.2.1 20180928 (GCC)
built with OpenSSL 1.1.1 11 Sep 2018
TLS SNI support enabled
configure arguments: --with-ld-opt='-Wl,-E -L/usr/local/zlib-cf/lib -L/usr/local/lib -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/zlib-cf/lib:/usr/local/lib' --with-cc-opt='-I/usr/local/zlib-cf/include -I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wno-cast-function-type -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=011018-005151 --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-http_flv_module --with-http_mp4_module --add-module=../nginx-rtmp-module --add-dynamic-module=../nginx-module-vts --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_slice_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.4.2 --add-dynamic-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.32 --add-dynamic-module=../echo-nginx-module-0.61 --add-module=../redis2-nginx-module-0.15 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.33 --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.1 --with-openssl-opt='enable-ec_nistp_64_gcc_128 enable-tls1_3'
Click to expand...

logs
Code (Text):
log files saved at /root/centminlogs
-rw-r--r--  1 root root  2.3K Oct  1 00:50 patch_opensslpatches_011018-005016.log
-rw-r--r--  1 root root    44 Oct  1 00:51 centminmod_opensslinstalltime_011018-005016.log
-rw-r--r--  1 root root  2.7K Oct  1 00:51 patch_patchnginx_011018-005016.log
-rw-r--r--  1 root root  8.3K Oct  1 00:52 nginx-configure-011018-005016.log
-rw-r--r--  1 root root   28K Oct  1 00:52 nginx_autoconf.err.011018-005016.log
-rw-r--r--  1 root root  2.4M Oct  1 00:52 centminmod_123.09beta01.b061_011018-005016_nginx_upgrade.log
patch_opensslpatches log - your patch is the last of the 4 enabled via persistent config file /etc/centminmod/custom_config.inc set variable prior to centmin.sh menu option 4 nginx compile run
Code (Text):
PRIORITIZE_CHACHA_OPENSSL='y'
Code (Text):
cat /root/centminlogs/patch_opensslpatches_011018-005016.log

######################################################################
Patching OpenSSL 1.1.1
######################################################################
Fix OpenSSL 1.1.1 broken SNI handshake patch
https://github.com/openssl/openssl/issues/7244
######################################################################
/svr-setup/openssl-1.1.1 /svr-setup/openssl-1.1.1
patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL-1.1.1-sni-fix-delay-sig-algs.patch
patching file ssl/statem/statem_srvr.c
patching file test/sslapitest.c
patching file test/ssltestlib.c
patching file test/sslapitest.c
/svr-setup/openssl-1.1.1


######################################################################
Patching OpenSSL 1.1.1
######################################################################
Reset TLS 1.3 ciphers in SSL_CTX_set_ssl_version() patch
https://github.com/openssl/openssl/issues/7226
######################################################################
/svr-setup/openssl-1.1.1 /svr-setup/openssl-1.1.1
patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL-1.1.1-reset-tls1.3-ciphers-SSL_CTX_set_ssl_version.patch
patching file ssl/ssl_lib.c
/svr-setup/openssl-1.1.1


######################################################################
Patching OpenSSL 1.1.1
######################################################################
Fix the max psk len for TLSv1.3 patch
https://github.com/openssl/openssl/issues/7261
######################################################################
/svr-setup/openssl-1.1.1 /svr-setup/openssl-1.1.1
patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL-1.1.1-tls13-fix-max-psk-len.patch
patching file ssl/ssl_locl.h
/svr-setup/openssl-1.1.1


######################################################################
Patching OpenSSL 1.1.1
######################################################################
bassie OpenSSL 1.1.1 Prioritize Chacha20 patch
https://community.centminmod.com/threads/15708/
######################################################################
/svr-setup/openssl-1.1.1 /svr-setup/openssl-1.1.1
patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL1.1.1-prioritize-chacha-feature.patch
patching file ssl/s3_lib.c
/svr-setup/openssl-1.1.1
but dev.ssllabs.com not showing chacha20 cipher selection for Android 7 ? does nginx ssl_ciphers order matter for this patch ?

adjusting the nginx vhost ssl_ciphers slightly as was missing TLS 1.2 CHACHA20 ciphers to below
Code (Text):
ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
that worked

but seems more clients use CHACHA20 ciphers is that intended right with your patch ?

or should I place CHACHA20 TLS 1.2 ciphers further down the list for ssl_ciphers order ?

looks like need to reorder TLS 1.2 CHAHA20 ciphers
Code (Text):
ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
Now as expected only Android 7 with chacha20 at the top of it's client preference list uses ChaCha20 ciphers with your patch

eva2000 · Oct 1, 2018

Updated Centmin Mod 123.09beta01 with optional patch for bassie's OpenSSL 1.1.1 Prioritize ChaCha20 SSL cipher patch. Disabled by default, but can optional enabled on nginx recompile via instructions at Beta Branch - add OpenSSL 1.1.1 ChaCha20 Prioritization patch in 123.09beta01

Log in / Register

Forums

Want more timely Centmin Mod News Updates?

OpenSSL [NEW PATCH]Prioritize ChaCha feature - OpenSSL 1.1.1

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Want more timely Centmin Mod News Updates?

OpenSSL [NEW PATCH]Prioritize ChaCha feature - OpenSSL 1.1.1

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.