Get the most out of your Centmin Mod LEMP stack
Become a Member

SSL Nginx and LibreSSL alternative to OpenSSL

Discussion in 'Beta release code' started by eva2000, Jun 2, 2015.

  1. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    8:46 PM
    Mainline
    10.2
    The only thing that is useful with this is having ChaCha/Poly cipher right?

     
  2. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    10:46 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    read LibreSSL - Wikipedia, the free encyclopedia and google for libressl vs openssl. LibreSSL is meant to be more secure, less legacy code (over 90k lines of code was removed from LibreSSL which is a fork of OpenSSL etc).
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    10:46 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    First live site of mine to switch to Centmin Mod .08 beta03 + LibreSSL branch is sslspdy.com which is test site for ECC 256 bit SSL certificates :)

    sslspdycom_libressl_ecc_chacha20.png
     
  4. Cr0w

    Cr0w Member

    165
    9
    18
    Mar 17, 2015
    Iran
    Ratings:
    +13
    Local Time:
    4:16 PM
    1.9.x
    5.5
    good news , i got a question
    is this LiberSSL Totally free ?
    for example i can make a ssl for my own website ? without buy anything ?

    and something else ;
    im using Cloudflare Free SSL Is that recommended ?
    its using SSLSPDY
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    10:46 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    no no.. OpenSSL, LibreSSL and BoringSSL are what allows Nginx to support https - nothing to do with SSL certificates themselves. You need to buy your SSL certificates still :)
     
  6. Cr0w

    Cr0w Member

    165
    9
    18
    Mar 17, 2015
    Iran
    Ratings:
    +13
    Local Time:
    4:16 PM
    1.9.x
    5.5
    ok . i will buy it , but answer my second question pleas ?
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    10:46 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    nice threads to read on Cloudflare cloudflare ssl | Centmin Mod Community and particularly SSL - Cloudflare free SSL in mid-October | Page 3 | Centmin Mod Community and one negative of Cloudflare free SSL is it uses ECC 256 bit and not all tools support it, i.e. curl

    Cloudflare Free SSL isn't full SSL as it only protects traffic between Cloudflare proxy/your site and visitors. The connection between Cloudflare and your site is unencrypted/unprotected unless you have Full Strict Cloudflare SSL which means you still need an SSL certificate on your site itself so that Cloudflare connection to your server is encrypted/protected.

    For SSL certificate specific questions best to ask at Domains, DNS, Email & SSL Certificates | Centmin Mod Community
     
    Last edited: Jun 4, 2015
  8. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    10:46 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Merged 123.08beta03-libresslclang branch into official 123.08beta03 branch so everyone can have some fun beta testing the much faster install and more secure Nginx compiled with LibreSSL by default with chacha20_poly1305 cipher support natively included in LibreSSL :D

    June 10th commits Commits · centminmod/centminmod · GitHub

    test it guys !!! see if we can be on track for .08 stable release by end of this month :D
     
  9. Jemekite

    Jemekite New Member

    12
    5
    3
    Jun 10, 2015
    Indonesia
    Ratings:
    +9
    Local Time:
    7:46 PM
    1.9.2
    MariaDB 10
    It's work, even with free SSL :D
    [​IMG]
     
    Last edited: Jun 11, 2015
  10. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    10:46 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    thanks for the testing and confirmation feedback @Jemekite :)
     
  11. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    10:46 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Currently Centmin Mod uses LibreSSL 2.1.6. Soon 2.2.0 will be out (currently in pre-reelase dev build status) at LibreSSL - FreeBSD Wiki

    note they have disabled SSLv3 by default in LibreSSL 2.2.0
    Code:
    Address POODLE attack by disabling SSLv3 by default.
    testing LibreSSL 2.2.0 pre-release - it has a different download url filename than 2.1.6, so you need to manually download and rename via wget the file in /svr-setup. One liner command to do that before running Nginx recompile via centmin.sh menu option 4
    Code:
    wget -O /svr-setup/libressl-portable-v2.2.0.tar.gz https://github.com/libressl-portable/portable/archive/2.2.0.tar.gz
    end result
     
    Last edited: Jun 11, 2015
  12. Jemekite

    Jemekite New Member

    12
    5
    3
    Jun 10, 2015
    Indonesia
    Ratings:
    +9
    Local Time:
    7:46 PM
    1.9.2
    MariaDB 10
    Rebuilding my live server :D

    [​IMG]

    Code:
    nginx version: nginx/1.9.1
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with LibreSSL 2.2.0
    TLS SNI support enabled
    configure arguments: --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -mtune=native -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-c++11-extensions -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_ssl_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module --with-http_secure_link_module --with-http_flv_module --with-http_realip_module --with-http_geoip_module --with-openssl-opt=enable-tlsext --add-module=../ngx-fancyindex-ngx-fancyindex --add-module=../ngx_cache_purge-2.3 --add-module=../headers-more-nginx-module-0.25 --add-module=../nginx-accesskey-2.0.3 --add-module=../nginx-http-concat-master --with-http_dav_module --add-module=../nginx-dav-ext-module-0.0.3 --add-module=../openresty-memc-nginx-module-1518da4 --add-module=../openresty-srcache-nginx-module-ffa9ab7 --add-module=../ngx_devel_kit-0.2.19 --add-module=../set-misc-nginx-module-0.28 --add-module=../echo-nginx-module-0.57 --add-module=../lua-nginx-module-0.9.16rc1 --add-module=../lua-upstream-nginx-module-0.02 --add-module=../lua-upstream-cache-nginx-module-0.1.1 --add-module=../nginx_upstream_check_module-0.3.0 --add-module=../nginx-module-vts --with-openssl=../portable-2.2.0 --with-libatomic --with-threads --with-stream --with-stream_ssl_module --with-pcre=../pcre-8.37 --with-pcre-jit --with-http_spdy_module --add-module=../ngx_pagespeed-release-1.9.32.3-beta
    
     
  13. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    10:46 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    nice thanks for testing and confirmation :D
     
  14. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    10:46 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    This forum has been updated to Centmin Mod .08 beta 03 latest with Nginx compiled with Clang compiler (up to 20% faster installs!) and LibreSSL 2.2.0 support. For LibreSSL 2.2.0 have to manually download it from master branch as it's not available as a tagged release on github yet as outlined at Security - OpenSSL 1.0.2c & LibreSSL 2.2.0 Released & Updating Centmin Mod Nginx SSL Support

    Code:
    wget -O /svr-setup/libressl-portable-v2.2.0.tar.gz https://github.com/libressl-portable/portable/archive/master.tar.gz
    cd /svr-setup
    tar xvzf libressl-portable-v2.2.0.tar.gz
    mv /svr-setup/portable-master /svr-setup/portable-2.2.0
     
    Last edited: Jun 14, 2015
  15. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    8:46 PM
    Mainline
    10.2
  16. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    10:46 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  17. Jemekite

    Jemekite New Member

    12
    5
    3
    Jun 10, 2015
    Indonesia
    Ratings:
    +9
    Local Time:
    7:46 PM
    1.9.2
    MariaDB 10
    LibreSSL has released v2.2.1

    Changelog:
    So far it work by editing centmin.sh ;)
    Code:
    [root@panel centminmod]# nginx -V
    nginx version: nginx/1.9.2
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with LibreSSL 2.2.1
    TLS SNI support enabled