Get the most out of your Centmin Mod LEMP stack
Become a Member

Nginx Nginx - No longer needed workaround for BoringSSL

Discussion in 'Nginx and PHP-FPM news & discussions' started by buik, Aug 23, 2016.

  1. buik

    buik “The best traveler is one without a camera.”

    2,016
    523
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,664
    Local Time:
    12:29 PM
    Maybe you can sprinkle the magic of Australia to speed up the process a bit. :)

     
  2. eva2000

    eva2000 Administrator Staff Member

    53,866
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    9:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  3. nfn

    nfn New Member

    29
    0
    1
    Jun 28, 2015
    Ratings:
    +8
    Local Time:
    11:29 AM
    Hi

    Sorry about bring this thread to live but, but I have compiled successfully nginx with BoringSSL and I have these two questions:

    What are the disadvantage of using BoringSSL without ssl_stapling vs Libre/Open SSL with
    ssl_stapling?
    What are the advantage of using BoringSSL vs Libre/Open SSL?

    I was reading this thread and we can read that there is no performance hits, only security benefits. Do you agree?

    Thanks
     
  4. rdan

    rdan Well-Known Member

    5,439
    1,399
    113
    May 25, 2014
    Ratings:
    +2,188
    Local Time:
    7:29 PM
    Mainline
    10.2
    I'm not even using this with LibreSSL.
    Not so big deal with performance.
     
  5. rdan

    rdan Well-Known Member

    5,439
    1,399
    113
    May 25, 2014
    Ratings:
    +2,188
    Local Time:
    7:29 PM
    Mainline
    10.2
    Yes exactly.
     
  6. nfn

    nfn New Member

    29
    0
    1
    Jun 28, 2015
    Ratings:
    +8
    Local Time:
    11:29 AM
    Have you run BoringSSL with nginx in production?
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,866
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    9:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Last edited: Jun 17, 2017
  8. nfn

    nfn New Member

    29
    0
    1
    Jun 28, 2015
    Ratings:
    +8
    Local Time:
    11:29 AM
    So, using BoringSSL without OCSP stapling we'll have performance degradation at this time, we'll have a security upgrade.
     
  9. eva2000

    eva2000 Administrator Staff Member

    53,866
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    9:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Security aspect is in theory assuming Google development of BoringSSL to be superior to that of OpenSSL and LibreSSL development over time. But OpenSSL's publicised security has gotten more attention, so has it's funding and focus on security. OCSP stapling isn't just about performance if you read the 2 links I posted above, it's also about privacy.
     
  10. buik

    buik “The best traveler is one without a camera.”

    2,016
    523
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,664
    Local Time:
    12:29 PM
    Wanted to know if BoringSSL is a serious replacement for OpenSSL on Nginx.
    Short answer no.

    There are advantages but the disadvantages are annoying if you are running sites.

    No OCSP stapling support
    No support for multiple certificates as the code is removed from the BoringSSL branch

    The only reason Boringssl could be interesting is, if Cloudflare is going to opensouce their backport feature patches.

    Ie. the most imported missing features for sites in BoringSSL.
    And that is OCSP, Multi cert, Chacha old etc.

    Of course, they will not do this. After all, they have stopped publishing code for a long time. Too many competitors who benefit?
     
  11. eva2000

    eva2000 Administrator Staff Member

    53,866
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    9:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Indeed probably those reasons are why i haven't really been motivated to get BoringSSL integration into Centmin Mod Nginx. OpenSSL 1.1 is already a good candidate with OCSP, multiple cert and chacha20.
     
  12. buik

    buik “The best traveler is one without a camera.”

    2,016
    523
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,664
    Local Time:
    12:29 PM
    For anyone who is interested.

    Hereby a [PATCH] to Enable TLS 1.3 on BoringSSL.
    (BoringSSL chromium-stable and BoringSSL master
    (git branch April 09 2018 with TLS 1.3 draft 22, 23 and the TLS 1.3 final IETF standard)).

    The well known Nginx parameter
    is an OpenSSL parameter and wont work on BoringSSL.

    BoringSSL TLS 1.3 could be unlocked hard code. Hence this simple patch.
     
  13. eva2000

    eva2000 Administrator Staff Member

    53,866
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    9:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Thanks for heads up. BoringSSL still natively disable OCSP stapling right ? Need a patch to re-enable OCSP stapling in BoringSSL
     
  14. buik

    buik “The best traveler is one without a camera.”

    2,016
    523
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,664
    Local Time:
    12:29 PM
    Thats right.
    Not using OCSP stapling anymore as part of my re-evaluation and cleanup.

    I have re-analyzed my entire WEB stack, including the add-ons.
    After testing. With and without relevant addition.
    Removed everything what does not work or adds too marginal.

    It takes far too much time to maintain WEB stacks and debug problems with all those extra's (which obviously add little to no extra speed or profit on other subjects anyway).

    I think I or we are all going to far to achieve little gain.
    Afraid to miss the boat. Getting warm feelings with all the smooth internet stories that promise you a lot of speed gain.

    Have read all known articles again (Cloudflare, Dropbox tech blog, MAXcdn etc)
    Then retried one by one. And have come to the conclusion that it does not work.

    Do not get me wrong. It does work. Or could work. But not on small projects like ours.
    If you have a hundred thousand servers or more. There every 0.2% counts.

    Which results in big improvements (totally seen).
    Hundred thousand servers or more is obviously different than 1 server or a room full of servers.

    Resuming.
    After the removal of a lot of unnecessary extras.
    The WEB stack has not become measurably slower or faster.

    Both the optimized and the non-optimized server could obtain the same result.

    Have benched and tested it at different times because there is a lot of influence.
    Due to larger limitations that you have no influence on. '(datacenter, neighbors, isp etc)

    It is always difficult to measure exactly when a site is already at its limit.
    200 - 300 ms is the limit for a site. I think.

    Of course a lot less work now.

    No longer have to continuously rewrite every patch, test all new updates of add-ons, parameters, config files and then test and roll out the whole.
     
    Last edited: Apr 10, 2018
  15. buik

    buik “The best traveler is one without a camera.”

    2,016
    523
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,664
    Local Time:
    12:29 PM
    To come back to your question.
    Yes OCSP stapling is removed from BoringSSL.
    So you need a patch or several patches to re-add it.

    Maybe you could ask Cloudflare.
    It seems that they using OCSP stapling on BoringSSL.
    But as you know, they have no longer published code, since a long time
     
  16. eva2000

    eva2000 Administrator Staff Member

    53,866
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    9:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Well not bothering with BoringSSL right now, happy with how OpenSSL 1.1.0 and 1.1.1 are shaping up and don't need to mess with patching for OCSP heh.
     
  17. buik

    buik “The best traveler is one without a camera.”

    2,016
    523
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,664
    Local Time:
    12:29 PM
    Yup.
     
  18. buik

    buik “The best traveler is one without a camera.”

    2,016
    523
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,664
    Local Time:
    12:29 PM
    Hereby an update in line with the latest upstream code:
    [PATCH] to Enable TLS 1.3 on BoringSSL.

    Tested on Nginx 1.14.0 - (BoringSSL master (git branch June 08 2018 with TLS 1.3 draft 23 and the TLS 1.3 final IETF standard)).
     
  19. buik

    buik “The best traveler is one without a camera.”

    2,016
    523
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,664
    Local Time:
    12:29 PM
    Hereby another update in line with the latest upstream code:
    [PATCH] to Enable TLS 1.3 on BoringSSL.

    Tested on Nginx 1.14.0 - (BoringSSL master (git branch June 23 2018 with TLS 1.3 draft 23 and the TLS 1.3 final IETF standard)).
     
  20. eva2000

    eva2000 Administrator Staff Member

    53,866
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    9:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+