Learn about Centmin Mod LEMP Stack today
Become a Member

SSL Nginx and LibreSSL alternative to OpenSSL

Discussion in 'Beta release code' started by eva2000, Jun 2, 2015.

  1. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    4:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Trying my first attempt at compiling Centmin Mod's Nginx server with LibreSSL instead of static compiled OpenSSL. LibreSSL has native support for chacha20_poly1305 ciphers so no need to maintain or follow a OpenSSL 1.02a patched build. Will be trying ECC 256 bit and RSA 2048 bit self signed SSL certificates with this test Nginx + LibreSSL build.

    Another reason for trying LibreSSL is it has support for parallel make -jXX during source compilation while OpenSSL doesn't support parallel make right now. So OpenSSL and Nginx source compiles are slower than they need to be. If LibreSSL is used for Nginx SSL then, install, upgrades and recompiles should in theory be much faster than OpenSSL.

    LibreSSL Wikipedia
    This thread will be my work log for testing and findings for Nginx + LibreSSL :)

    eventually you will be able to switch between OpenSSL and LibreSSL just by recompiling Nginx via centmin.sh menu option 4.

    Code:
    --------------------------------------------------------
    Centmin Mod 1.2.3-eva2000.08 - http://centminmod.com
    --------------------------------------------------------
                       Centmin Mod Menu                
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB 5.2, 5.5, 10, 10.1 Upgrade Sub-Menu
    12). Zend OpCache Install/Re-install
    13). Install ioping.sh vbtechsupport.com/1239/
    14). SELinux disable
    15). Install/Re-install ImageMagick PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2,p7zip etc
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Re-install
    21). Update - Nginx + PHP-FPM + Siege
    22). Add Wordpress Nginx vhost + WP Super Cache
    23). Update Centmin Mod Code Base
    24). Exit
    --------------------------------------------------------
    Enter option [ 1 - 24 ] 

     
    Last edited: Jun 2, 2015
  2. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    4:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    LibreSSL 2.1.6 offered ciphers

    Code:
    /svr-setup/portable-2.1.6/.openssl/bin/openssl ciphers -V "ALL:COMPLEMENTOFALL"  
    
              0xCC,0x14 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ChaCha20-Poly1305 Mac=AEAD
              0xCC,0x13 - ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ChaCha20-Poly1305 Mac=AEAD
              0xCC,0x15 - DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=ChaCha20-Poly1305 Mac=AEAD
              0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
              0xC0,0x2C - ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
              0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
              0xC0,0x24 - ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
              0xC0,0x14 - ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
              0xC0,0x0A - ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
              0x00,0xA3 - DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
              0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
              0x00,0x6B - DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
              0x00,0x6A - DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
              0x00,0x39 - DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
              0x00,0x38 - DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
              0xFF,0x85 - GOST2012256-GOST89-GOST89 SSLv3 Kx=GOST     Au=GOST01 Enc=GOST-28178-89-CNT Mac=GOST89IMIT
              0x00,0xC4 - DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
              0x00,0xC3 - DHE-DSS-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA256
              0x00,0x88 - DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
              0x00,0x87 - DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
              0x00,0x81 - GOST2001-GOST89-GOST89  SSLv3 Kx=GOST     Au=GOST01 Enc=GOST-28178-89-CNT Mac=GOST89IMIT
              0xC0,0x19 - AECDH-AES256-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
              0x00,0xA7 - ADH-AES256-GCM-SHA384   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(256) Mac=AEAD
              0x00,0x6D - ADH-AES256-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(256)  Mac=SHA256
              0x00,0x3A - ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
              0x00,0xC5 - ADH-CAMELLIA256-SHA256  TLSv1.2 Kx=DH       Au=None Enc=Camellia(256) Mac=SHA256
              0x00,0x89 - ADH-CAMELLIA256-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(256) Mac=SHA1
              0xC0,0x32 - ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
              0xC0,0x2E - ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
              0xC0,0x2A - ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
              0xC0,0x26 - ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
              0xC0,0x0F - ECDH-RSA-AES256-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA1
              0xC0,0x05 - ECDH-ECDSA-AES256-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA1
              0x00,0x9D - AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
              0x00,0x3D - AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
              0x00,0x35 - AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
              0x00,0xC0 - CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
              0x00,0x84 - CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
              0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
              0xC0,0x2B - ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
              0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
              0xC0,0x23 - ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
              0xC0,0x13 - ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
              0xC0,0x09 - ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
              0x00,0xA2 - DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
              0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
              0x00,0x67 - DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
              0x00,0x40 - DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
              0x00,0x33 - DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
              0x00,0x32 - DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
              0x00,0xBE - DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
              0x00,0xBD - DHE-DSS-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA256
              0x00,0x45 - DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
              0x00,0x44 - DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1
              0xC0,0x18 - AECDH-AES128-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(128)  Mac=SHA1
              0x00,0xA6 - ADH-AES128-GCM-SHA256   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(128) Mac=AEAD
              0x00,0x6C - ADH-AES128-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(128)  Mac=SHA256
              0x00,0x34 - ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1
              0x00,0xBF - ADH-CAMELLIA128-SHA256  TLSv1.2 Kx=DH       Au=None Enc=Camellia(128) Mac=SHA256
              0x00,0x46 - ADH-CAMELLIA128-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(128) Mac=SHA1
              0xC0,0x31 - ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
              0xC0,0x2D - ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
              0xC0,0x29 - ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA256
              0xC0,0x25 - ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
              0xC0,0x0E - ECDH-RSA-AES128-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA1
              0xC0,0x04 - ECDH-ECDSA-AES128-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA1
              0x00,0x9C - AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
              0x00,0x3C - AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
              0x00,0x2F - AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
              0x00,0xBA - CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
              0x00,0x41 - CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
              0x00,0x07 - IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
              0xC0,0x11 - ECDHE-RSA-RC4-SHA       SSLv3 Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
              0xC0,0x07 - ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA Enc=RC4(128)  Mac=SHA1
              0xC0,0x16 - AECDH-RC4-SHA           SSLv3 Kx=ECDH     Au=None Enc=RC4(128)  Mac=SHA1
              0x00,0x18 - ADH-RC4-MD5             SSLv3 Kx=DH       Au=None Enc=RC4(128)  Mac=MD5
              0xC0,0x0C - ECDH-RSA-RC4-SHA        SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128)  Mac=SHA1
              0xC0,0x02 - ECDH-ECDSA-RC4-SHA      SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128)  Mac=SHA1
              0x00,0x05 - RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
              0x00,0x04 - RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
              0xC0,0x12 - ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1
              0xC0,0x08 - ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1
              0x00,0x16 - EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
              0x00,0x13 - EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
              0xC0,0x17 - AECDH-DES-CBC3-SHA      SSLv3 Kx=ECDH     Au=None Enc=3DES(168) Mac=SHA1
              0x00,0x1B - ADH-DES-CBC3-SHA        SSLv3 Kx=DH       Au=None Enc=3DES(168) Mac=SHA1
              0xC0,0x0D - ECDH-RSA-DES-CBC3-SHA   SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
              0xC0,0x03 - ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
              0x00,0x0A - DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
              0x00,0x15 - EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
              0x00,0x12 - EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
              0x00,0x1A - ADH-DES-CBC-SHA         SSLv3 Kx=DH       Au=None Enc=DES(56)   Mac=SHA1
              0x00,0x09 - DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
              0xC0,0x10 - ECDHE-RSA-NULL-SHA      SSLv3 Kx=ECDH     Au=RSA  Enc=None      Mac=SHA1
              0xC0,0x06 - ECDHE-ECDSA-NULL-SHA    SSLv3 Kx=ECDH     Au=ECDSA Enc=None      Mac=SHA1
              0xFF,0x87 - GOST2012256-NULL-STREEBOG256 SSLv3 Kx=GOST     Au=GOST01 Enc=None      Mac=STREEBOG256
              0x00,0x83 - GOST2001-NULL-GOST94    SSLv3 Kx=GOST     Au=GOST01 Enc=None      Mac=GOST94
              0xC0,0x15 - AECDH-NULL-SHA          SSLv3 Kx=ECDH     Au=None Enc=None      Mac=SHA1
              0xC0,0x0B - ECDH-RSA-NULL-SHA       SSLv3 Kx=ECDH/RSA Au=ECDH Enc=None      Mac=SHA1
              0xC0,0x01 - ECDH-ECDSA-NULL-SHA     SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=None      Mac=SHA1
              0x00,0x3B - NULL-SHA256             TLSv1.2 Kx=RSA      Au=RSA  Enc=None      Mac=SHA256
              0x00,0x02 - NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
              0x00,0x01 - NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5 
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    4:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Let's setup a Nginx vhost on Centmin Mod with self signed RSA 2048 bit SSL certificate for newdomain2.com

    self signed SSL certificate for Nginx + LibreSSL of course it ain't trusted :)

    newdomain2-selfsigned_00.png newdomain2-selfsigned_01.png

    Code:
    ./nginxssl_gen.sh
    
    ---------------------------------------------
    Enter vhost domain name you want to add (without www. prefix): newdomain2.com
    Do you want to setup an Nginx SSL SPDY Vhost https:// based domain? [y/n] y
    Do you want to auto generate the CSR Code (Certificate Signing Request)? [y/n] y
    Auto generate self-signed SSL certificate (y) or setup a purchased SSL Certifcate [n] ? [y/n] y
    ----------------------------------------------------------------------
      RSA 4096 bit key = y Answer = n for 2048 bit key [y/n] n
    
      Generating private key and CSR Code files
      will require user input...
      openssl req -new -sha256 -newkey rsa:2048 -nodes -out newdomain2.com.csr -keyout newdomain2.com.key
    Generating a 2048 bit RSA private key
    ....+++
    ..................+++
    writing new private key to 'newdomain2.com.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:AU
    State or Province Name (full name) []:QLD
    Locality Name (eg, city) [Default City]:BRIBSANE
    Organization Name (eg, company) [Default Company Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:newdomain2.com
    Email Address []:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
      self-signed crt generation option:
      openssl x509 -req -days 3650 -sha256 -in newdomain2.com.csr -signkey newdomain2.com.key -out newdomain2.com.crt
    Signature ok
    subject=/C=AU/ST=QLD/L=BRIBSANE/O=Default Company Ltd/CN=newdomain2.com
    Getting Private key
    openssl s_client -connect newdomain2.com:443 -tls1_2 -tlsextdebug -status
    socket: Connection timed out
    connect:errno=110
    
    ----------------------------------------------------------------------
      Your private key (newdomain2.com.key )and CSR code (newdomain2.com.csr)
      has been generated at:
      /usr/local/nginx/conf/ssl/newdomain2.com
    total 12K
    drwxr-xr-x  2 root root   81 Jun  2 07:19 .
    drwxr-xr-x. 4 root root   65 Jun  2 07:18 ..
    -rw-r--r--  1 root root 1.2K Jun  2 07:19 newdomain2.com.crt
    -rw-r--r--  1 root root 1001 Jun  2 07:19 newdomain2.com.csr
    -rw-r--r--  1 root root 1.7K Jun  2 07:19 newdomain2.com.key
    ----------------------------------------------------------------------
    
    
    ---------------------------------------------
    Reloading nginx configuration (via systemctl):             [  OK  ]
    
    ---------------------------------------------
    vhost for newdomain2.com created successfully
    vhost conf file for newdomain2.com created: /usr/local/nginx/conf/conf.d/newdomain2.com.conf
    upload files to /home/nginx/domains/newdomain2.com/public
    vhost log files directory is /home/nginx/domains/newdomain2.com/log
    SSL files directory is /usr/local/nginx/conf/ssl/newdomain2.com
    
    Current vhost listing at: /usr/local/nginx/conf/conf.d/
                         
    Jun 1   19:23   1.1K   demodomain.com.conf
    Jun 1   19:23   845    ssl.conf
    Jun 1   19:34   1.4K   virtual.conf
    Jun 2   07:08   2.8K   newdomain1.com.conf
    Jun 2   07:19   2.8K   newdomain2.com.conf
    ---------------------------------------------
    
    testing newdomain2.com's ciphers
    Code:
    OPENSSLBIN=/svr-setup/portable-2.1.6/.openssl/bin/openssl ./cipherscan newdomain2.com     
    ....................
    Target: newdomain2.com:443
    
    prio  ciphersuite                  protocols              pfs                 curves
    1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits  prime256v1
    2     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits  prime256v1
    3     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,1024bits         None
    4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                DH,1024bits         None
    5     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits  prime256v1
    6     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
    7     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits  prime256v1
    8     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
    9     DHE-RSA-AES128-SHA256        TLSv1.2                DH,1024bits         None
    10    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
    11    DHE-RSA-AES256-SHA256        TLSv1.2                DH,1024bits         None
    12    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
    13    AES128-GCM-SHA256            TLSv1.2                None                None
    14    AES256-GCM-SHA384            TLSv1.2                None                None
    15    AES128-SHA256                TLSv1.2                None                None
    16    AES256-SHA256                TLSv1.2                None                None
    17    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
    18    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
    19    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2  None                None
    
    Certificate: UNTRUSTED, 2048 bit, sha1WithRSAEncryption signature
    TLS ticket lifetime hint: 43200
    OCSP stapling: not supported
    Cipher ordering: server
    cipherscan analyze
    Code:
    OPENSSLBIN=/svr-setup/portable-2.1.6/.openssl/bin/openssl ./analyze.py -t newdomain2.com
    newdomain2.com:443 has bad ssl/tls
    
    Things that are bad:
    * don't use an untrusted or self-signed certificate
    
    Changes needed to match the old level:
    * consider enabling SSLv3
    * consider enabling OCSP Stapling
    
    Changes needed to match the intermediate level:
    * consider using a SHA-256 certificate
    * consider using DHE of at least 2048bits and ECC of at least 256bits
    * consider enabling OCSP Stapling
    
    Changes needed to match the modern level:
    * remove cipher AES128-GCM-SHA256
    * remove cipher AES256-GCM-SHA384
    * remove cipher AES128-SHA256
    * remove cipher AES256-SHA256
    * remove cipher AES128-SHA
    * remove cipher AES256-SHA
    * remove cipher DES-CBC3-SHA
    * disable TLSv1
    * use a SHA-256 certificate
    * use DHE of at least 2048bits and ECC of at least 256bits
    * consider enabling OCSP Stapling
     
    Last edited: Jun 2, 2015
  4. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    4:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    now let's chacha = chacha20_poly1305 native cipher support thanks to LibreSSL :D

    Add 2 additional ciphers to your ssl_ciphers in newdomain2.com.conf vhost config file

    Code:
    ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:
    newdomain2-selfsigned_chacha20_00.png
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    4:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Let's try setting up ECC 256 bit self signed SSL certificate with chacha20_poly1305 on newdomain3.com

    ECDHE_ECDSA key exchange = ECC 256 bit SSL

    newdomain3-selfsigned_chacha20_ecdsa_00.png newdomain3-selfsigned_chacha20_ecdsa_01.png

    Code:
    ./nginxssl_gen.sh                                    
    
    ---------------------------------------------
    Enter vhost domain name you want to add (without www. prefix): newdomain3.com
    Do you want to setup an Nginx SSL SPDY Vhost https:// based domain? [y/n] y
    Do you want to auto generate the CSR Code (Certificate Signing Request)? [y/n] y
    Auto generate self-signed SSL certificate (y) or setup a purchased SSL Certifcate [n] ? [y/n] y
    ----------------------------------------------------------------------
    There are types of CSR Codes you can generate
    1). The standard RSA 2048 bit key based CSR Code
    2). The newer performant ECC 256bit key based CSR Code
    ----------------------------------------------------------------------
      ECC = Elliptic Curve Cryptography
      ECC key based has smaller key sizes, more secure etc
      ECC 256bit key is equivalent to a RSA 3072bit key
      ECC key based CSR Code NEEDS a SSL certificate which
      supports ECC however not all SSL certificates support
      ECC key based generated CSR Codes. Some browsers may
      also NOT support ECC.
    
      Please consult with your SSL certificate provider or
      if unsure, choose the standard RSA 2048 bit key
      based CSR Code method.
    
      Do you want to generate a ECC 256 bit key based CSR Code?
      Answer = y for ECC or = n for standard RSA key based [y/n] y
    ----------------------------------------------------------------------
    
    ----------------------------------------------------------------------
      Generating private key and CSR Code files
    newdomain3.com with ECC 256 bit has much smaller key sizes :D

    Code:
    ls -lah newdomain2.com/ newdomain3.com/
    newdomain2.com/:
    total 12K
    drwxr-xr-x  2 root root   81 Jun  2 07:19 .
    drwxr-xr-x. 5 root root   86 Jun  2 07:41 ..
    -rw-r--r--  1 root root 1.2K Jun  2 07:19 newdomain2.com.crt
    -rw-r--r--  1 root root 1001 Jun  2 07:19 newdomain2.com.csr
    -rw-r--r--  1 root root 1.7K Jun  2 07:19 newdomain2.com.key
    
    newdomain3.com/:
    total 12K
    drwxr-xr-x  2 root root  81 Jun  2 07:41 .
    drwxr-xr-x. 5 root root  86 Jun  2 07:41 ..
    -rw-r--r--  1 root root 660 Jun  2 07:41 newdomain3.com.crt
    -rw-r--r--  1 root root 469 Jun  2 07:41 newdomain3.com.csr
    -rw-r--r--  1 root root 302 Jun  2 07:41 newdomain3.com.key
     
    Last edited: Jun 2, 2015
  6. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    4:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Centmin Mod .08 beta03 Nginx vhost statistics thanks to @vozlt 's wonderful Nginx addon :D

    nginx_vhoststats.png
     
  7. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    2:45 AM
    Mainline
    10.2
    But limited OS and Browser support right?
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    4:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yup limited to moden OSes so no WinXP basically see Nginx - Centmin Mod Nginx VHOST SPDY SSL Generator testing and info on my ECC 256 bit test site at sslspdy.com (oh i should switch the sslspdy.com site to LibreSSL too)

    Another alternative to OpenSSL and LibreSSL is BoringSSL - Google unveils independent “fork” of OpenSSL called “BoringSSL” it has equal preference cipher group support - meaning you can have 2 SSL certificates one RSA 2048 and one ECC 256 bit for same domain and serve RSA 2048 SSL to older OSes and serve ECC 256bit to newer OSes. incorrect assumption ignore

    But BoringSSL doesn't support OSCP Stapling as Google believes OSCP is flawed.
     
    Last edited: Jun 3, 2015
  9. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    2:45 AM
    Mainline
    10.2
    How? I would like to apply it :D.
    Then I must purchase another premium SSL for this right?
     
  10. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    4:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    only supported in BoringSSL not OpenSSL or LibreSSL

    yeah you'd need 2x SSL certificates one with the CSR generated for RSA 2048bit and one for ECC 256bit CSR (that's part of the exercise in creating my nginx vhost + ssl generator - supports both RSA/ECC based CSR generation) and then give that to SSL certificate provider that supports ECC 256bit SSL certificates - incorrect assumption ignore
    I only know for certain Comodo and Symantec as supporting ECC 256bit SSL certificates.
     
    Last edited: Jun 3, 2015
  11. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    2:45 AM
    Mainline
    10.2
    What about on Nginx Config, How will it look like?
     
  12. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    4:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    pretty much the same just boringssl would have grouped equal preference ciphers in brackets
    Code:
    ssl_ciphers [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]:[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE-ECDSA-AES256-GCM-SHA384:
     
  13. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    2:45 AM
    Mainline
    10.2
    and also How do you declare two instances for ssl_certificate, ssl_certificate_key and ssl_trusted_certificate.
    That will auto select based on visitors capability.
     
  14. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    4:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    haven't got that far in my research :LOL:
     
  15. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    2:45 AM
    Mainline
    10.2
    I will try to search on it :)
    Thanks Eva.
     
  16. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    4:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    actually i may be mistaken, the equal preference ciphers only allows for the same SSL certificate generated from the single CSR either RSA or ECC, it's just a preference between say chacha20 and non chacha20

    so for ECC = ECDSA
    Code:
    ssl_ciphers [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]
    the idea being chacha20 is faster than AES on mobile devices but on non-mobile with AES-NI support, it maybe that AES cipher faster than chacha20 too. So the client device negotiates it's best preference
     
    Last edited: Jun 3, 2015
  17. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    4:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Just finished a new Centmin Mod 123.08beta03libressl branch (private repo right now) with added LibreSSL support for Nginx. Going to test it out :)

    upload_2015-6-3_16-44-30.png
     
  18. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    2:45 AM
    Mainline
    10.2
    But no OCSP support?
     
  19. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    4:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    OpenSSL and LibreSSL has OCSP just not BoringSSL
     
  20. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    4:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Posted an experimental 123.08beta03libressl branch of Centmin Mod that has support for Nginx + LibreSSL instead of using OpenSSL. The single variable in centmin.sh that controls whether LibreSSL is used or OpenSSL is:
    Code:
    LIBRESSL_SWITCH='y'
    it defaults to enabled for 123.08beta03libressl branch

    To try it out for fresh install, the following same steps with just branchname= variable set to 123.08beta03libressl branch name
    Code:
    yum -y install wget nano bc unzip
    branchname=123.08beta03libressl
    wget -O /usr/local/src/${branchname}.zip https://github.com/centminmod/centminmod/archive/${branchname}.zip
    cd /usr/local/src
    unzip ${branchname}.zip
    cd centminmod-${branchname}
    chmod +x centmin.sh
    
    Then to install either type

    for menu mode
    Code:
    ./centmin.sh
    
    or for CLI install mode
    Code:
    ./centmin.sh install
    

    Nginx 1.9.1 with LibreSSL with



    centmin.sh variable set to
    Code:
    LIBRESSL_SWITCH='y'

    Nginx 1.9.1 with OpenSSL with



    centmin.sh variable set to
    Code:
    LIBRESSL_SWITCH='n'