Welcome to Centmin Mod Community
Become a Member

OpenSSL [NEW PATCH]Prioritize ChaCha feature - OpenSSL 1.1.1

Discussion in 'CentOS, Redhat & Oracle Linux News' started by bassie, Oct 1, 2018.

  1. bassie

    bassie Active Member

    970
    230
    43
    Apr 29, 2016
    Ratings:
    +688
    Local Time:
    7:19 AM
    The OpenSSL team has issued their version of "Prioritize ChaCha" at the release of OpenSSL 1.1.1.
    However OpenSSL prioritize ChaCha won't be implemented by the Nginx team as they have classified it as: "this "feature" looks more like a hack".

    As can be reviewed here: #1445 (OpenSSL - ChaCha prioritized - Nginx enhancement) – nginx

    With this patch you still could use the prioritize ChaCha feature.
    No additional Nginx settings are required.

    For example: Even if Chacha is the last in the line.
    It will still be selected if the client has ChaCha first(i.e. Android 7), and ssl_prefer_server_ciphers is used.

    Prioritize ChaCha feature - OpenSSL 1.1.1 patch
     
    • Informative Informative x 1
  2. eva2000

    eva2000 Administrator Staff Member

    36,333
    7,979
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,287
    Local Time:
    3:19 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    sweet thanks for sharing so is this your own patch or it's sourced from somewhere ? citations ? :)
     
  3. bassie

    bassie Active Member

    970
    230
    43
    Apr 29, 2016
    Ratings:
    +688
    Local Time:
    7:19 AM
    Own simple patch with a few deleted upstream words.
    Not that hard to create.
     
    • Like Like x 1
  4. eva2000

    eva2000 Administrator Staff Member

    36,333
    7,979
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,287
    Local Time:
    3:19 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Ok so can refer to it as the bassie OpenSSL 1.1.1 Prioritize ChaCha20 patch :D
     
  5. bassie

    bassie Active Member

    970
    230
    43
    Apr 29, 2016
    Ratings:
    +688
    Local Time:
    7:19 AM
    Refer to whatever you want.
     
    • Like Like x 1
  6. eva2000

    eva2000 Administrator Staff Member

    36,333
    7,979
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,287
    Local Time:
    3:19 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    checking out your patch now
    logs
    Code (Text):
    log files saved at /root/centminlogs
    -rw-r--r--  1 root root  2.3K Oct  1 00:50 patch_opensslpatches_011018-005016.log
    -rw-r--r--  1 root root    44 Oct  1 00:51 centminmod_opensslinstalltime_011018-005016.log
    -rw-r--r--  1 root root  2.7K Oct  1 00:51 patch_patchnginx_011018-005016.log
    -rw-r--r--  1 root root  8.3K Oct  1 00:52 nginx-configure-011018-005016.log
    -rw-r--r--  1 root root   28K Oct  1 00:52 nginx_autoconf.err.011018-005016.log
    -rw-r--r--  1 root root  2.4M Oct  1 00:52 centminmod_123.09beta01.b061_011018-005016_nginx_upgrade.log
    

    patch_opensslpatches log - your patch is the last of the 4 enabled via persistent config file /etc/centminmod/custom_config.inc set variable prior to centmin.sh menu option 4 nginx compile run
    Code (Text):
    PRIORITIZE_CHACHA_OPENSSL='y'
    

    Code (Text):
    cat /root/centminlogs/patch_opensslpatches_011018-005016.log
    
    ######################################################################
    Patching OpenSSL 1.1.1
    ######################################################################
    Fix OpenSSL 1.1.1 broken SNI handshake patch
    https://github.com/openssl/openssl/issues/7244
    ######################################################################
    /svr-setup/openssl-1.1.1 /svr-setup/openssl-1.1.1
    patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL-1.1.1-sni-fix-delay-sig-algs.patch
    patching file ssl/statem/statem_srvr.c
    patching file test/sslapitest.c
    patching file test/ssltestlib.c
    patching file test/sslapitest.c
    /svr-setup/openssl-1.1.1
    
    
    ######################################################################
    Patching OpenSSL 1.1.1
    ######################################################################
    Reset TLS 1.3 ciphers in SSL_CTX_set_ssl_version() patch
    https://github.com/openssl/openssl/issues/7226
    ######################################################################
    /svr-setup/openssl-1.1.1 /svr-setup/openssl-1.1.1
    patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL-1.1.1-reset-tls1.3-ciphers-SSL_CTX_set_ssl_version.patch
    patching file ssl/ssl_lib.c
    /svr-setup/openssl-1.1.1
    
    
    ######################################################################
    Patching OpenSSL 1.1.1
    ######################################################################
    Fix the max psk len for TLSv1.3 patch
    https://github.com/openssl/openssl/issues/7261
    ######################################################################
    /svr-setup/openssl-1.1.1 /svr-setup/openssl-1.1.1
    patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL-1.1.1-tls13-fix-max-psk-len.patch
    patching file ssl/ssl_locl.h
    /svr-setup/openssl-1.1.1
    
    
    ######################################################################
    Patching OpenSSL 1.1.1
    ######################################################################
    bassie OpenSSL 1.1.1 Prioritize Chacha20 patch
    https://community.centminmod.com/threads/15708/
    ######################################################################
    /svr-setup/openssl-1.1.1 /svr-setup/openssl-1.1.1
    patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL1.1.1-prioritize-chacha-feature.patch
    patching file ssl/s3_lib.c
    /svr-setup/openssl-1.1.1
    


    but dev.ssllabs.com not showing chacha20 cipher selection for Android 7 ? does nginx ssl_ciphers order matter for this patch ?

    upload_2018-10-1_11-0-52.png

    adjusting the nginx vhost ssl_ciphers slightly as was missing TLS 1.2 CHACHA20 ciphers to below
    Code (Text):
    ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
    


    that worked :)

    but seems more clients use CHACHA20 ciphers is that intended right with your patch ?

    upload_2018-10-1_11-18-27.png

    upload_2018-10-1_11-17-55.png
    or should I place CHACHA20 TLS 1.2 ciphers further down the list for ssl_ciphers order ?

    looks like need to reorder TLS 1.2 CHAHA20 ciphers

    Code (Text):
    ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
    

    Now as expected only Android 7 with chacha20 at the top of it's client preference list uses ChaCha20 ciphers with your patch :)
    upload_2018-10-1_11-25-47.png
     
    Last edited: Oct 1, 2018
  7. eva2000

    eva2000 Administrator Staff Member

    36,333
    7,979
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,287
    Local Time:
    3:19 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
..