Want to subscribe to topics you're interested in?
Become a Member

Nginx [nginx-announce] nginx-1.9.12

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Feb 25, 2016.

  1. Revenge

    Revenge Active Member

    458
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +350
    Local Time:
    5:28 AM
    1.9.x
    10.1.x
    It doesn't says old. Here it is:
    Screenshot 2016-02-25 01.08.33.png

    Screenshot 2016-02-25 01.09.19.png
     
  2. eva2000

    eva2000 Administrator Staff Member

    45,406
    10,302
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,980
    Local Time:
    2:28 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  3. Revenge

    Revenge Active Member

    458
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +350
    Local Time:
    5:28 AM
    1.9.x
    10.1.x
  4. BobbyWibowo

    BobbyWibowo Active Member

    196
    41
    28
    Jul 30, 2015
    Indonesia
    Ratings:
    +70
    Local Time:
    11:28 AM
    1.17.x
    10.3.x
  5. Revenge

    Revenge Active Member

    458
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +350
    Local Time:
    5:28 AM
    1.9.x
    10.1.x
  6. eva2000

    eva2000 Administrator Staff Member

    45,406
    10,302
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,980
    Local Time:
    2:28 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  7. ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    6:28 AM
    1.9.12
    10.0.23
    I got this at the dev ssllab:

    upload_2016-2-25_7-30-17.png
     
  8. eva2000

    eva2000 Administrator Staff Member

    45,406
    10,302
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,980
    Local Time:
    2:28 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    was a few more fixes in 123.09beta01 ;)
     
  9. ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    6:28 AM
    1.9.12
    10.0.23
    Right @eva2000 - was some readings behind..

    Also here - with the dev ssltest site - I got this old_ prefix ..

    upload_2016-2-25_8-20-0.png
     
  10. Revenge

    Revenge Active Member

    458
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +350
    Local Time:
    5:28 AM
    1.9.x
    10.1.x
    I just compiled 1.9.12 against LibreSSL 2.3.2.

    Dev SSLabs only shows the old chacha, which means that even the newer version of libreSSL is not using the new chacha.
     
  11. eva2000

    eva2000 Administrator Staff Member

    45,406
    10,302
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,980
    Local Time:
    2:28 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  12. BobbyWibowo

    BobbyWibowo Active Member

    196
    41
    28
    Jul 30, 2015
    Indonesia
    Ratings:
    +70
    Local Time:
    11:28 AM
    1.17.x
    10.3.x
    Testssl is reporting that my site is providing Triple DES Ciphers. So yesterday I went to take a look at my main domain's conf and compared it with a new domain's conf. I figured out that my main domain's conf didn't have:
    Code:
    !DES-CBC3-SHA
    on the ssl_chipers directive. So I added that and restarted my nginx, but even after nearly 24 hours after I committed that change and restarted nginx, testssl is still reporting that my site is providing this cipher:
    Code:
    ECDHE-ECDSA-DES-CBC3-SHA (xc008)
    Is it because of Cloudflare? My site is also providing this chacha chiper:
    Code:
    ECDHE-ECDSA-CHACHA20-POLY1305 (xcc14)
    although I had:
    Code:
    EECDH+CHACHA20-draft
    and
    Code:
    EECDH+CHACHA20
    on ssl_chipers directive.

    On a side note, that chacha chiper is being used on my desktop browser instead (using Chrome on Windows 10):
    chacha20.png
    even though it'll use AES_128_GCM for community.centminmod.com:
    chacha20_centmin.png
     
  13. eva2000

    eva2000 Administrator Staff Member

    45,406
    10,302
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,980
    Local Time:
    2:28 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    it's because cloudflare and my Centmin Mod default template ssl_ciphers still allow for DES as it's still used for WinXP. You can add
    Code:
    !3DES
    to disable DES
    even cloudflare own site does this use old chacha Nginx - [nginx-announce] nginx-1.9.12 | Page 2 | Centmin Mod Community so don't worry about it heh
     
  14. BobbyWibowo

    BobbyWibowo Active Member

    196
    41
    28
    Jul 30, 2015
    Indonesia
    Ratings:
    +70
    Local Time:
    11:28 AM
    1.17.x
    10.3.x
    But I have:
    Code:
    !DES-CBC3-SHA
    on ssl_ciphers directive, wouldn't that prevent:
    Code:
    ECDHE-ECDSA-DES-CBC3-SHA (xc008)
    from being added already? Since that particular cipher has DES-CBC3-SHA. Testssl was only reporting that particular cipher as 3DES.
    Here's the full list of ciphers used on my site btw:
    Code:
    Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits        Cipher Suite Name (RFC)
    -----------------------------------------------------------------------------------------------------------------------
    xcc14   ECDHE-ECDSA-CHACHA20-POLY1305  ECDH 256   ChaCha20   256         TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256   
    xc02c   ECDHE-ECDSA-AES256-GCM-SHA384  ECDH 256   AESGCM     256         TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384         
    xc024   ECDHE-ECDSA-AES256-SHA384      ECDH 256   AES        256         TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384         
    xc00a   ECDHE-ECDSA-AES256-SHA         ECDH 256   AES        256         TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA             
    xc02b   ECDHE-ECDSA-AES128-GCM-SHA256  ECDH 256   AESGCM     128         TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256         
    xc023   ECDHE-ECDSA-AES128-SHA256      ECDH 256   AES        128         TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256         
    xc009   ECDHE-ECDSA-AES128-SHA         ECDH 256   AES        128         TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA             
    xc008   ECDHE-ECDSA-DES-CBC3-SHA       ECDH 256   3DES       168         TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA  
    Also, will you please post the settings you use for ssl_ciphers directive for Centmin Mod site?
    I was only concerned since Chrome on Windows prefered that cipher. Oh right, Chrome on Android 4.4.4 also used Chacha for my site. But oh well.

    UPDATE: Cloudflare will use its own ssl_ciphers directive to communicate with clients. Their ssl settings are available here: sslconfig/conf at master · cloudflare/sslconfig · GitHub
    So, my ssl_ciphers directive will only be used to communicate between my server to Cloudflare, while communication between client and Cloudflare will use Cloudflare's setting. Well, kinda expected that.
     
    Last edited: Feb 28, 2016
  15. eva2000

    eva2000 Administrator Staff Member

    45,406
    10,302
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,980
    Local Time:
    2:28 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    confirmed reverting that 1.9.12 change allows LibreSSL to compile against 1.9.12

    I'm adding an update to Centmin Mod 123.09beta01 to do just that when LIBRESSL_SWITCH='y' is set update inc/nginx_configure.inc workaround for LibreSSL · centminmod/centminmod@bcbdced · GitHub :D

    @RoldanLT might like this :)

    edit: looks like libressl might be dealing with it at their end too Add make install_sw support · Issue #174 · libressl-portable/portable · GitHub
     
    Last edited: Mar 4, 2016
  16. BobbyWibowo

    BobbyWibowo Active Member

    196
    41
    28
    Jul 30, 2015
    Indonesia
    Ratings:
    +70
    Local Time:
    11:28 AM
    1.17.x
    10.3.x
    Will it support dynamic modules (specifically brotli and PageSpeed) just fine?
     
  17. eva2000

    eva2000 Administrator Staff Member

    45,406
    10,302
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,980
    Local Time:
    2:28 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    look at my Nginx -V output there's dynamic nginx modules loaded :D
     
  18. BobbyWibowo

    BobbyWibowo Active Member

    196
    41
    28
    Jul 30, 2015
    Indonesia
    Ratings:
    +70
    Local Time:
    11:28 AM
    1.17.x
    10.3.x
    Ah, great! I was on phone and there was too much text for my eyes, lmao
     
  19. Sunka

    Sunka Well-Known Member

    1,142
    313
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +510
    Local Time:
    6:28 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    So basically, we can switch to libreSSL again?
    Just add LIBRESSL_SWITCH='y' here:
    Code:
    [root@tvor-ocean ~]# cat /etc/centminmod/custom_config.inc
    NGINX_LIBBROTLI=y # Brotly extension
    NGXDYNAMIC_BROTLI=y # Brotly dynamic module extension
    NGINX_PAGESPEED=n # nginx page speed
    NGXDYNAMIC_NGXPAGESPEED=n # nginx dynamic page speed
    PHP_MEMCACHE=n # memcache PHP extension
    PHP_MEMCACHED=n # memcached PHP extension
    Any known errors with libressl and future nginx (1.9.13) update?
     
  20. eva2000

    eva2000 Administrator Staff Member

    45,406
    10,302
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,980
    Local Time:
    2:28 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    yup

    no idea of issues for nginx versions not yet released heh

    but with openssl 1.02g released, i was expecting something like libressl 2.2.7 release, but still 2.2.6 so not sure if libressl 2.2.6 is subject to same security flaws openssl 1.0.2f and lower were