Get the most out of your Centmin Mod LEMP stack
Become a Member

Nginx Nginx ssl cipher suite

Discussion in 'Centmin Mod Insights' started by rdan, Jul 7, 2014.

  1. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    8:30 AM
    Mainline
    10.2
    What is the most fastest ssl cipher suite combination and at the same time compatible for almost all browser?
    I don't care about the security as I don't have shopping cart on my site, I only use ssl because of SPDY :)

    Please leave your thoughts here.

     
  2. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    8:30 AM
    Mainline
    10.2
  3. eva2000

    eva2000 Administrator Staff Member

    54,052
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    10:30 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    fastest would depend on the server end too

    on your server you can run

    Code:
    openssl speed
    honestly, I'm still very new to SSL

    interest script at http://superuser.com/a/224263/101822 could customise it for other tests I suppose :)
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,052
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    10:30 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    suppose you could patch the Nginx static compiled openssl 1.0.1h haven't looked into that. The NGINXPATCH variable in centmin.sh https://github.com/centminmod/centminmod/blob/master/centmin.sh#L182 would be used to delay Nginx upgrade process until you patch openssl static version ideally.
     
  5. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    8:30 AM
    Mainline
    10.2
    I don't want to screw up things, except when you give a full step by step guide.
    Surely I will follow and try it :)
     
  6. eva2000

    eva2000 Administrator Staff Member

    54,052
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    10:30 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  7. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    8:30 AM
    Mainline
    10.2
    Yes that's the one I linked above :)
    Really don't know how to apply it.
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,052
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    10:30 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  9. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    8:30 AM
    Mainline
    10.2
    Ow that's similar.
    Since you created it, you can also apply the one that comes from cloudflare, Thanks in advance :)
     
  10. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    8:30 AM
    Mainline
    10.2
    So patch for cloudflare would be something like?
    Code:
    opensslpatches() {
    # release buffer patch CVE-2010-5298
    if [[ "${OPENSSL_VERSION}" = '1.0.1g' ]]; then
        echo "###################################"
        echo "Patching OpenSSL 1.0.1g"
        echo "###################################"
        echo "CVE-2010-5298"
        echo "http://www.cvedetails.com/cve/CVE-2010-5298/"
        echo "####################################"
        pushd ssl
        rm -rf releasebuffer.patch
        wget -cnv https://raw.githubusercontent.com/cloudflare/sslconfig/master/patches/openssl__disable_rc4.patch
        patch < openssl__disable_rc4.patch
        popd
        echo "####################################"
        echo "OpenSSL 1.0.1g patched"
        echo "####################################"
    fi
    }
     
  11. eva2000

    eva2000 Administrator Staff Member

    54,052
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    10:30 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yeah maybe later :)

    yup :)

    fyi, just did an openssl speed test run on my wable.com bundle 3 openvz VPS server

    Code:
    openssl speed
    
    Doing md2 for 3s on 16 size blocks: 311077 md2's in 2.99s
    Doing md2 for 3s on 64 size blocks: 157011 md2's in 3.00s
    Doing md2 for 3s on 256 size blocks: 52582 md2's in 2.99s
    Doing md2 for 3s on 1024 size blocks: 14410 md2's in 3.00s
    Doing md2 for 3s on 8192 size blocks: 1852 md2's in 3.00s
    Doing mdc2 for 3s on 16 size blocks: 2483330 mdc2's in 2.99s
    Doing mdc2 for 3s on 64 size blocks: 666273 mdc2's in 3.00s
    Doing mdc2 for 3s on 256 size blocks: 169740 mdc2's in 3.00s
    Doing mdc2 for 3s on 1024 size blocks: 42694 mdc2's in 2.99s
    Doing mdc2 for 3s on 8192 size blocks: 5297 mdc2's in 3.00s
    Doing md4 for 3s on 16 size blocks: 14498527 md4's in 3.00s
    Doing md4 for 3s on 64 size blocks: 11144693 md4's in 2.99s
    Doing md4 for 3s on 256 size blocks: 6500007 md4's in 3.00s
    Doing md4 for 3s on 1024 size blocks: 2426730 md4's in 3.00s
    Doing md4 for 3s on 8192 size blocks: 355134 md4's in 3.00s
    Doing md5 for 3s on 16 size blocks: 10589338 md5's in 2.99s
    Doing md5 for 3s on 64 size blocks: 7681490 md5's in 3.00s
    Doing md5 for 3s on 256 size blocks: 4195374 md5's in 2.99s
    Doing md5 for 3s on 1024 size blocks: 1489570 md5's in 3.00s
    Doing md5 for 3s on 8192 size blocks: 212311 md5's in 3.00s
    Doing hmac(md5) for 3s on 16 size blocks: 8088466 hmac(md5)'s in 2.99s
    Doing hmac(md5) for 3s on 64 size blocks: 6273699 hmac(md5)'s in 3.00s
    Doing hmac(md5) for 3s on 256 size blocks: 3727716 hmac(md5)'s in 3.00s
    Doing hmac(md5) for 3s on 1024 size blocks: 1429230 hmac(md5)'s in 2.99s
    Doing hmac(md5) for 3s on 8192 size blocks: 211197 hmac(md5)'s in 3.00s
    Doing sha1 for 3s on 16 size blocks: 11688719 sha1's in 2.99s
    Doing sha1 for 3s on 64 size blocks: 8281251 sha1's in 3.00s
    Doing sha1 for 3s on 256 size blocks: 4418584 sha1's in 3.00s
    Doing sha1 for 3s on 1024 size blocks: 1554577 sha1's in 2.99s
    Doing sha1 for 3s on 8192 size blocks: 229546 sha1's in 3.00s
    Doing sha256 for 3s on 16 size blocks: 8484163 sha256's in 2.99s
    Doing sha256 for 3s on 64 size blocks: 4688261 sha256's in 3.00s
    Doing sha256 for 3s on 256 size blocks: 2020362 sha256's in 2.99s
    Doing sha256 for 3s on 1024 size blocks: 635947 sha256's in 2.99s
    Doing sha256 for 3s on 8192 size blocks: 84544 sha256's in 3.00s
    Doing sha512 for 3s on 16 size blocks: 6751222 sha512's in 3.00s
    Doing sha512 for 3s on 64 size blocks: 6785950 sha512's in 2.99s
    Doing sha512 for 3s on 256 size blocks: 2589442 sha512's in 3.00s
    Doing sha512 for 3s on 1024 size blocks: 919369 sha512's in 3.00s
    Doing sha512 for 3s on 8192 size blocks: 131537 sha512's in 2.99s
    Doing whirlpool for 3s on 16 size blocks: 4072238 whirlpool's in 3.00s
    Doing whirlpool for 3s on 64 size blocks: 2139085 whirlpool's in 3.00s
    Doing whirlpool for 3s on 256 size blocks: 881196 whirlpool's in 2.99s
    Doing whirlpool for 3s on 1024 size blocks: 262768 whirlpool's in 3.00s
    Doing whirlpool for 3s on 8192 size blocks: 34824 whirlpool's in 3.00s
    Doing rmd160 for 3s on 16 size blocks: 6969098 rmd160's in 2.99s
    Doing rmd160 for 3s on 64 size blocks: 4190668 rmd160's in 3.00s
    Doing rmd160 for 3s on 256 size blocks: 1902273 rmd160's in 3.00s
    Doing rmd160 for 3s on 1024 size blocks: 598828 rmd160's in 2.99s
    Doing rmd160 for 3s on 8192 size blocks: 81022 rmd160's in 3.00s
    Doing rc4 for 3s on 16 size blocks: 75399513 rc4's in 3.00s
    Doing rc4 for 3s on 64 size blocks: 27419271 rc4's in 2.99s
    Doing rc4 for 3s on 256 size blocks: 7905398 rc4's in 3.00s
    Doing rc4 for 3s on 1024 size blocks: 2068025 rc4's in 3.00s
    Doing rc4 for 3s on 8192 size blocks: 261719 rc4's in 2.99s
    Doing des cbc for 3s on 16 size blocks: 11150486 des cbc's in 3.00s
    Doing des cbc for 3s on 64 size blocks: 2860169 des cbc's in 3.00s
    Doing des cbc for 3s on 256 size blocks: 718160 des cbc's in 2.99s
    Doing des cbc for 3s on 1024 size blocks: 180028 des cbc's in 3.00s
    Doing des cbc for 3s on 8192 size blocks: 22527 des cbc's in 2.99s
    Doing des ede3 for 3s on 16 size blocks: 4241549 des ede3's in 3.00s
    Doing des ede3 for 3s on 64 size blocks: 1068576 des ede3's in 2.99s
    Doing des ede3 for 3s on 256 size blocks: 268395 des ede3's in 3.00s
    Doing des ede3 for 3s on 1024 size blocks: 67212 des ede3's in 3.00s
    Doing des ede3 for 3s on 8192 size blocks: 8413 des ede3's in 2.99s
    Doing aes-128 cbc for 3s on 16 size blocks: 20394762 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 64 size blocks: 5494388 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 256 size blocks: 1407568 aes-128 cbc's in 2.99s
    Doing aes-128 cbc for 3s on 1024 size blocks: 354823 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 8192 size blocks: 44558 aes-128 cbc's in 3.00s
    Doing aes-192 cbc for 3s on 16 size blocks: 17170072 aes-192 cbc's in 2.99s
    Doing aes-192 cbc for 3s on 64 size blocks: 4635410 aes-192 cbc's in 3.00s
    Doing aes-192 cbc for 3s on 256 size blocks: 1178078 aes-192 cbc's in 2.99s
    Doing aes-192 cbc for 3s on 1024 size blocks: 296597 aes-192 cbc's in 3.00s
    Doing aes-192 cbc for 3s on 8192 size blocks: 37093 aes-192 cbc's in 3.00s
    Doing aes-256 cbc for 3s on 16 size blocks: 15072983 aes-256 cbc's in 2.99s
    Doing aes-256 cbc for 3s on 64 size blocks: 3980731 aes-256 cbc's in 3.00s
    Doing aes-256 cbc for 3s on 256 size blocks: 1010346 aes-256 cbc's in 3.00s
    Doing aes-256 cbc for 3s on 1024 size blocks: 253719 aes-256 cbc's in 2.99s
    Doing aes-256 cbc for 3s on 8192 size blocks: 31787 aes-256 cbc's in 3.00s
    Doing aes-128 ige for 3s on 16 size blocks: 20603005 aes-128 ige's in 3.00s
    Doing aes-128 ige for 3s on 64 size blocks: 5310608 aes-128 ige's in 2.99s
    Doing aes-128 ige for 3s on 256 size blocks: 1335501 aes-128 ige's in 3.00s
    Doing aes-128 ige for 3s on 1024 size blocks: 335463 aes-128 ige's in 3.00s
    Doing aes-128 ige for 3s on 8192 size blocks: 41967 aes-128 ige's in 2.99s
    Doing aes-192 ige for 3s on 16 size blocks: 17409972 aes-192 ige's in 3.00s
    Doing aes-192 ige for 3s on 64 size blocks: 4474868 aes-192 ige's in 3.00s
    Doing aes-192 ige for 3s on 256 size blocks: 1123448 aes-192 ige's in 2.99s
    Doing aes-192 ige for 3s on 1024 size blocks: 281985 aes-192 ige's in 3.00s
    Doing aes-192 ige for 3s on 8192 size blocks: 35264 aes-192 ige's in 3.00s
    Doing aes-256 ige for 3s on 16 size blocks: 15101652 aes-256 ige's in 2.99s
    Doing aes-256 ige for 3s on 64 size blocks: 3858570 aes-256 ige's in 3.00s
    Doing aes-256 ige for 3s on 256 size blocks: 969970 aes-256 ige's in 3.00s
    Doing aes-256 ige for 3s on 1024 size blocks: 243090 aes-256 ige's in 2.99s
    Doing aes-256 ige for 3s on 8192 size blocks: 30413 aes-256 ige's in 3.00s
    Doing ghash for 3s on 16 size blocks: 141846466 ghash's in 3.00s
    Doing ghash for 3s on 64 size blocks: 59130977 ghash's in 2.99s
    Doing ghash for 3s on 256 size blocks: 17092912 ghash's in 3.00s
    Doing ghash for 3s on 1024 size blocks: 4451499 ghash's in 3.00s
    Doing ghash for 3s on 8192 size blocks: 561428 ghash's in 2.99s
    Doing camellia-128 cbc for 3s on 16 size blocks: 15926706 camellia-128 cbc's in 3.00s
    Doing camellia-128 cbc for 3s on 64 size blocks: 6018394 camellia-128 cbc's in 3.00s
    Doing camellia-128 cbc for 3s on 256 size blocks: 1710505 camellia-128 cbc's in 2.99s
    Doing camellia-128 cbc for 3s on 1024 size blocks: 441256 camellia-128 cbc's in 3.00s
    Doing camellia-128 cbc for 3s on 8192 size blocks: 55778 camellia-128 cbc's in 3.00s
    Doing camellia-192 cbc for 3s on 16 size blocks: 13481153 camellia-192 cbc's in 2.99s
    Doing camellia-192 cbc for 3s on 64 size blocks: 4705186 camellia-192 cbc's in 3.00s
    Doing camellia-192 cbc for 3s on 256 size blocks: 1289636 camellia-192 cbc's in 3.00s
    Doing camellia-192 cbc for 3s on 1024 size blocks: 332375 camellia-192 cbc's in 2.99s
    Doing camellia-192 cbc for 3s on 8192 size blocks: 41811 camellia-192 cbc's in 3.00s
    Doing camellia-256 cbc for 3s on 16 size blocks: 13804937 camellia-256 cbc's in 3.00s
    Doing camellia-256 cbc for 3s on 64 size blocks: 4707174 camellia-256 cbc's in 2.99s
    Doing camellia-256 cbc for 3s on 256 size blocks: 1289710 camellia-256 cbc's in 3.00s
    Doing camellia-256 cbc for 3s on 1024 size blocks: 331938 camellia-256 cbc's in 3.00s
    Doing camellia-256 cbc for 3s on 8192 size blocks: 41846 camellia-256 cbc's in 2.99s
    Doing idea cbc for 3s on 16 size blocks: 15328255 idea cbc's in 3.00s
    Doing idea cbc for 3s on 64 size blocks: 3980459 idea cbc's in 3.00s
    Doing idea cbc for 3s on 256 size blocks: 1000381 idea cbc's in 2.99s
    Doing idea cbc for 3s on 1024 size blocks: 251458 idea cbc's in 3.00s
    Doing idea cbc for 3s on 8192 size blocks: 31457 idea cbc's in 3.00s
    Doing seed cbc for 3s on 16 size blocks: 12322344 seed cbc's in 2.99s
    Doing seed cbc for 3s on 64 size blocks: 3100172 seed cbc's in 3.00s
    Doing seed cbc for 3s on 256 size blocks: 777830 seed cbc's in 3.00s
    Doing seed cbc for 3s on 1024 size blocks: 194526 seed cbc's in 2.99s
    Doing seed cbc for 3s on 8192 size blocks: 24315 seed cbc's in 3.00s
    Doing rc2 cbc for 3s on 16 size blocks: 7840528 rc2 cbc's in 3.00s
    Doing rc2 cbc for 3s on 64 size blocks: 2003392 rc2 cbc's in 2.99s
    Doing rc2 cbc for 3s on 256 size blocks: 503541 rc2 cbc's in 3.00s
    Doing rc2 cbc for 3s on 1024 size blocks: 126353 rc2 cbc's in 3.00s
    Doing rc2 cbc for 3s on 8192 size blocks: 15787 rc2 cbc's in 2.99s
    Doing blowfish cbc for 3s on 16 size blocks: 19732319 blowfish cbc's in 3.00s
    Doing blowfish cbc for 3s on 64 size blocks: 5187338 blowfish cbc's in 3.00s
    Doing blowfish cbc for 3s on 256 size blocks: 1312872 blowfish cbc's in 2.99s
    Doing blowfish cbc for 3s on 1024 size blocks: 329215 blowfish cbc's in 3.00s
    Doing blowfish cbc for 3s on 8192 size blocks: 41223 blowfish cbc's in 2.99s
    Doing cast cbc for 3s on 16 size blocks: 17552000 cast cbc's in 3.00s
    Doing cast cbc for 3s on 64 size blocks: 4602508 cast cbc's in 3.00s
    Doing cast cbc for 3s on 256 size blocks: 1164321 cast cbc's in 2.99s
    Doing cast cbc for 3s on 1024 size blocks: 291930 cast cbc's in 3.00s
    Doing cast cbc for 3s on 8192 size blocks: 36499 cast cbc's in 3.00s
    Doing 512 bit private rsa's for 10s: 168463 512 bit private RSA's in 9.99s
    Doing 512 bit public rsa's for 10s: 2041390 512 bit public RSA's in 9.99s
    Doing 1024 bit private rsa's for 10s: 53344 1024 bit private RSA's in 9.98s
    Doing 1024 bit public rsa's for 10s: 769461 1024 bit public RSA's in 9.99s
    Doing 2048 bit private rsa's for 10s: 7106 2048 bit private RSA's in 9.99s
    Doing 2048 bit public rsa's for 10s: 232720 2048 bit public RSA's in 9.99s
    Doing 4096 bit private rsa's for 10s: 995 4096 bit private RSA's in 9.99s
    Doing 4096 bit public rsa's for 10s: 62726 4096 bit public RSA's in 9.99s
    Doing 512 bit sign dsa's for 10s: 167371 512 bit DSA signs in 9.98s
    Doing 512 bit verify dsa's for 10s: 186848 512 bit DSA verify in 9.99s
    Doing 1024 bit sign dsa's for 10s: 73674 1024 bit DSA signs in 9.99s
    Doing 1024 bit verify dsa's for 10s: 68046 1024 bit DSA verify in 9.99s
    Doing 2048 bit sign dsa's for 10s: 23364 2048 bit DSA signs in 9.98s
    Doing 2048 bit verify dsa's for 10s: 20090 2048 bit DSA verify in 9.98s
    Doing 160 bit sign ecdsa's for 10s: 149218 160 bit ECDSA signs in 9.99s
    Doing 160 bit verify ecdsa's for 10s: 42918 160 bit ECDSA verify in 9.99s
    Doing 192 bit sign ecdsa's for 10s: 124089 192 bit ECDSA signs in 9.98s
    Doing 192 bit verify ecdsa's for 10s: 36125 192 bit ECDSA verify in 9.99s
    Doing 224 bit sign ecdsa's for 10s: 136921 224 bit ECDSA signs in 9.99s
    Doing 224 bit verify ecdsa's for 10s: 69153 224 bit ECDSA verify in 9.99s
    Doing 256 bit sign ecdsa's for 10s: 76358 256 bit ECDSA signs in 9.98s
    Doing 256 bit verify ecdsa's for 10s: 31603 256 bit ECDSA verify in 9.98s
    Doing 384 bit sign ecdsa's for 10s: 44940 384 bit ECDSA signs in 9.96s
    Doing 384 bit verify ecdsa's for 10s: 10582 384 bit ECDSA verify in 9.97s
    Doing 521 bit sign ecdsa's for 10s: 22557 521 bit ECDSA signs in 9.97s
    Doing 521 bit verify ecdsa's for 10s: 9753 521 bit ECDSA verify in 9.99s
    Doing 163 bit sign ecdsa's for 10s: 46737 163 bit ECDSA signs in 9.99s
    Doing 163 bit verify ecdsa's for 10s: 18612 163 bit ECDSA verify in 9.99s
    Doing 233 bit sign ecdsa's for 10s: 23410 233 bit ECDSA signs in 9.99s
    Doing 233 bit verify ecdsa's for 10s: 14216 233 bit ECDSA verify in 9.99s
    Doing 283 bit sign ecdsa's for 10s: 15613 283 bit ECDSA signs in 9.99s
    Doing 283 bit verify ecdsa's for 10s: 7392 283 bit ECDSA verify in 9.97s
    Doing 409 bit sign ecdsa's for 10s: 6636 409 bit ECDSA signs in 9.96s
    Doing 409 bit verify ecdsa's for 10s: 4276 409 bit ECDSA verify in 9.98s
    Doing 571 bit sign ecdsa's for 10s: 3137 571 bit ECDSA signs in 9.99s
    Doing 571 bit verify ecdsa's for 10s: 1849 571 bit ECDSA verify in 9.99s
    Doing 163 bit sign ecdsa's for 10s: 46503 163 bit ECDSA signs in 9.96s
    Doing 163 bit verify ecdsa's for 10s: 17568 163 bit ECDSA verify in 9.99s
    Doing 233 bit sign ecdsa's for 10s: 23646 233 bit ECDSA signs in 9.98s
    Doing 233 bit verify ecdsa's for 10s: 13376 233 bit ECDSA verify in 9.98s
    Doing 283 bit sign ecdsa's for 10s: 15458 283 bit ECDSA signs in 9.98s
    Doing 283 bit verify ecdsa's for 10s: 6887 283 bit ECDSA verify in 9.99s
    Doing 409 bit sign ecdsa's for 10s: 6709 409 bit ECDSA signs in 9.99s
    Doing 409 bit verify ecdsa's for 10s: 3910 409 bit ECDSA verify in 9.95s
    Doing 571 bit sign ecdsa's for 10s: 3075 571 bit ECDSA signs in 9.90s
    Doing 571 bit verify ecdsa's for 10s: 1648 571 bit ECDSA verify in 9.88s
    Doing 160 bit  ecdh's for 10s: 52160 160-bit ECDH ops in 9.99s
    Doing 192 bit  ecdh's for 10s: 44089 192-bit ECDH ops in 9.99s
    Doing 224 bit  ecdh's for 10s: 103301 224-bit ECDH ops in 9.98s
    Doing 256 bit  ecdh's for 10s: 42788 256-bit ECDH ops in 9.99s
    Doing 384 bit  ecdh's for 10s: 12478 384-bit ECDH ops in 9.98s
    Doing 521 bit  ecdh's for 10s: 13524 521-bit ECDH ops in 9.97s
    Doing 163 bit  ecdh's for 10s: 37874 163-bit ECDH ops in 9.99s
    Doing 233 bit  ecdh's for 10s: 29210 233-bit ECDH ops in 9.96s
    Doing 283 bit  ecdh's for 10s: 15267 283-bit ECDH ops in 9.96s
    Doing 409 bit  ecdh's for 10s: 8772 409-bit ECDH ops in 9.98s
    Doing 571 bit  ecdh's for 10s: 3735 571-bit ECDH ops in 9.99s
    Doing 163 bit  ecdh's for 10s: 35990 163-bit ECDH ops in 9.98s
    Doing 233 bit  ecdh's for 10s: 27794 233-bit ECDH ops in 9.98s
    Doing 283 bit  ecdh's for 10s: 14114 283-bit ECDH ops in 9.99s
    Doing 409 bit  ecdh's for 10s: 8180 409-bit ECDH ops in 9.99s
    Doing 571 bit  ecdh's for 10s: 3411 571-bit ECDH ops in 9.99s
    
    Code:
    OpenSSL 1.0.1h 5 Jun 2014
    built on: Wed Jun 11 18:04:11 EDT 2014
    options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
    compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O3 -g -mmmx -msse3 -mfpmath=sse -Wa,--noexecstack -fomit-frame-pointer -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    md2               1664.63k     3349.57k     4502.00k     4918.61k     5057.19k
    mdc2             13288.72k    14213.82k    14484.48k    14621.62k    14464.34k
    md4              77325.48k   238548.61k   554667.26k   828323.84k   969752.58k
    md5              56665.35k   163871.79k   359202.59k   508439.89k   579750.57k
    hmac(md5)        43282.76k   133838.91k   318098.43k   489475.42k   576708.61k
    sha1             62548.33k   176666.69k   377052.50k   532403.63k   626813.61k
    rmd160           37292.83k    89400.92k   162327.30k   205083.57k   221244.07k
    rc4             402130.74k   586900.78k   674593.96k   705885.87k   717057.54k
    des cbc          59469.26k    61016.94k    61487.95k    61449.56k    61719.46k
    des ede3         22621.59k    22872.53k    22903.04k    22941.70k    23049.93k
    idea cbc         81750.69k    84916.46k    85651.35k    85831.00k    85898.58k
    seed cbc         65938.96k    66137.00k    66374.83k    66620.28k    66396.16k
    rc2 cbc          41816.15k    42881.97k    42968.83k    43128.49k    43253.21k
    rc5-32/12 cbc        0.00         0.00         0.00         0.00         0.00
    blowfish cbc    105239.03k   110663.21k   112406.43k   112372.05k   112942.75k
    cast cbc         93610.67k    98186.84k    99687.68k    99645.44k    99666.60k
    aes-128 cbc     108772.06k   117213.61k   120514.18k   121112.92k   121673.05k
    aes-192 cbc      91879.98k    98888.75k   100865.54k   101238.44k   101288.62k
    aes-256 cbc      80658.10k    84922.26k    86216.19k    86892.39k    86799.70k
    camellia-128 cbc    84942.43k   128392.41k   146451.26k   150615.38k   152311.13k
    camellia-192 cbc    72139.95k   100377.30k   110048.94k   113830.10k   114171.90k
    camellia-256 cbc    73626.33k   100755.56k   110055.25k   113301.50k   114649.64k
    sha256           45400.20k   100016.23k   172980.83k   217795.90k   230861.48k
    sha512           36006.52k   145251.10k   220965.72k   313811.29k   360384.98k
    whirlpool        21718.60k    45633.81k    75446.88k    89691.48k    95092.74k
    aes-128 ige     109882.69k   113671.88k   113962.75k   114504.70k   114981.16k
    aes-192 ige      92853.18k    95463.85k    96188.19k    96250.88k    96294.23k
    aes-256 ige      80811.52k    82316.16k    82770.77k    83252.23k    83047.77k
    ghash           756514.49k  1265679.78k  1458595.16k  1519444.99k  1538200.06k
                      sign    verify    sign/s verify/s
    rsa  512 bits 0.000059s 0.000005s  16863.2 204343.3
    rsa 1024 bits 0.000187s 0.000013s   5345.1  77023.1
    rsa 2048 bits 0.001406s 0.000043s    711.3  23295.3
    rsa 4096 bits 0.010040s 0.000159s     99.6   6278.9
                      sign    verify    sign/s verify/s
    dsa  512 bits 0.000060s 0.000053s  16770.6  18703.5
    dsa 1024 bits 0.000136s 0.000147s   7374.8   6811.4
    dsa 2048 bits 0.000427s 0.000497s   2341.1   2013.0
                                  sign    verify    sign/s verify/s
    160 bit ecdsa (secp160r1)   0.0001s   0.0002s  14936.7   4296.1
    192 bit ecdsa (nistp192)   0.0001s   0.0003s  12433.8   3616.1
    224 bit ecdsa (nistp224)   0.0001s   0.0001s  13705.8   6922.2
    256 bit ecdsa (nistp256)   0.0001s   0.0003s   7651.1   3166.6
    384 bit ecdsa (nistp384)   0.0002s   0.0009s   4512.0   1061.4
    521 bit ecdsa (nistp521)   0.0004s   0.0010s   2262.5    976.3
    163 bit ecdsa (nistk163)   0.0002s   0.0005s   4678.4   1863.1
    233 bit ecdsa (nistk233)   0.0004s   0.0007s   2343.3   1423.0
    283 bit ecdsa (nistk283)   0.0006s   0.0013s   1562.9    741.4
    409 bit ecdsa (nistk409)   0.0015s   0.0023s    666.3    428.5
    571 bit ecdsa (nistk571)   0.0032s   0.0054s    314.0    185.1
    163 bit ecdsa (nistb163)   0.0002s   0.0006s   4669.0   1758.6
    233 bit ecdsa (nistb233)   0.0004s   0.0007s   2369.3   1340.3
    283 bit ecdsa (nistb283)   0.0006s   0.0015s   1548.9    689.4
    409 bit ecdsa (nistb409)   0.0015s   0.0025s    671.6    393.0
    571 bit ecdsa (nistb571)   0.0032s   0.0060s    310.6    166.8
                                  op      op/s
    160 bit ecdh (secp160r1)   0.0002s   5221.2
    192 bit ecdh (nistp192)   0.0002s   4413.3
    224 bit ecdh (nistp224)   0.0001s  10350.8
    256 bit ecdh (nistp256)   0.0002s   4283.1
    384 bit ecdh (nistp384)   0.0008s   1250.3
    521 bit ecdh (nistp521)   0.0007s   1356.5
    163 bit ecdh (nistk163)   0.0003s   3791.2
    233 bit ecdh (nistk233)   0.0003s   2932.7
    283 bit ecdh (nistk283)   0.0007s   1532.8
    409 bit ecdh (nistk409)   0.0011s    879.0
    571 bit ecdh (nistk571)   0.0027s    373.9
    163 bit ecdh (nistb163)   0.0003s   3606.2
    233 bit ecdh (nistb233)   0.0004s   2785.0
    283 bit ecdh (nistb283)   0.0007s   1412.8
    409 bit ecdh (nistb409)   0.0012s    818.8
    571 bit ecdh (nistb571)   0.0029s    341.4
     
  12. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    8:30 AM
    Mainline
    10.2
    But as of cloudflare, they are using OpenSSL 1.0.2-stable (+ patches).
    Should be fine for us?
     
  13. eva2000

    eva2000 Administrator Staff Member

    54,052
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    10:30 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    honestly no idea heh.. you need to try on a test VPS ;)
     
  14. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    8:30 AM
    Mainline
    10.2
  15. eva2000

    eva2000 Administrator Staff Member

    54,052
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    10:30 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  16. eva2000

    eva2000 Administrator Staff Member

    54,052
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    10:30 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    LOL now you have me curious.. setup a test domain on my wable.com bundle 3 OpenVZ VPS server at https://sslpatch.centminmod.com will see :)

    for inc/openssl_install.inc opensslpatches function

    Code:
    opensslpatches() {
    # release buffer patch CVE-2010-5298
    if [[ "${OPENSSL_VERSION}" = '1.0.1g' ]]; then
        echo  "###################################"
        echo "Patching OpenSSL 1.0.1g"
        echo  "###################################"
        echo "CVE-2010-5298"
        echo "http://www.cvedetails.com/cve/CVE-2010-5298/"
        echo  "####################################"
        pushd ssl
        rm -rf releasebuffer.patch
        wget -cnv http://centminmod.com/centminmodparts/openssl/patches/releasebuffer.patch
        patch < releasebuffer.patch
        popd
        echo  "####################################"
        echo  "OpenSSL 1.0.1g patched"
        echo  "####################################"
    fi
    
    if [[ "${OPENSSL_VERSION}" = '1.0.1i' ]]; then
        echo  "###################################"
        echo "Patching OpenSSL 1.0.1i"
        echo  "###################################"
        echo "Cloudflare RC4 kill patch"
        echo "https://github.com/cloudflare/sslconfig/blob/master/patches/openssl__disable_rc4.patch"
        echo  "####################################"
        pushd ssl
        rm -rf openssl__disable_rc4.patch
        wget -cnv --no-check-certificate https://github.com/cloudflare/sslconfig/raw/master/patches/openssl__disable_rc4.patch
        patch < openssl__disable_rc4.patch
        popd
        echo  "####################################"
        echo  "OpenSSL 1.0.1i patched"
        echo  "####################################"
    fi
    }
    Patched successfully on Centmin Mod Nginx .07 stable build after Nginx menu option 4 recompile Qualys SSL Labs - Projects / SSL Server Test / sslpatch.centminmod.com

    Code:
    nginx -V
    nginx version: nginx/1.7.2
    built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC)
    TLS SNI support enabled
    configure arguments: --with-cc-opt='-I/svr-setup/staticlibssl/include -I/usr/include' --with-ld-opt='-L/svr-setup/staticlibssl/lib -Wl,-rpath -lssl -lcrypto -ldl -lz' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_ssl_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module --with-http_secure_link_module --with-http_flv_module --with-http_realip_module --with-openssl-opt=enable-tlsext --add-module=../ngx-fancyindex-ngx-fancyindex --add-module=../ngx_cache_purge-2.1 --add-module=../headers-more-nginx-module-0.25 --add-module=../nginx-accesskey-2.0.3 --add-module=../nginx-http-concat-master --with-http_dav_module --add-module=../nginx-dav-ext-module-0.0.3 --with-openssl=../openssl-1.0.1i --with-libatomic --with-pcre=../pcre-8.35 --with-pcre-jit --with-http_spdy_module --add-module=../ngx_pagespeed-release-1.8.31.4-beta
    Code:
    ./centmin.sh
    
    --------------------------------------------------------
    Centmin Mod 1.2.3-eva2000.07 - http://centminmod.com
    --------------------------------------------------------
                       Centmin Mod Menu       
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB 5.2, 5.5, 10 Upgrade Sub-Menu
    12). Zend OpCache Install/Re-install
    13). Install ioping.sh vbtechsupport.com/1239/
    14). SELinux disable
    15). Install/Re-install ImageMagick PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2,p7zip etc
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Re-install
    21). Update - Nginx + PHP-FPM + Siege
    22). Exit
    --------------------------------------------------------
    Enter option [ 1 - 22 ] 4
    --------------------------------------------------------
    Custom configure CSF settings...set
    
    Do you want to run YUM install checks ?  [y/n]
    
    This will increase your upgrade duration time wise.
    Check the change log centminmod.com/changelog.html
    to see if any Nginx or PHP related new additions
    which require checking YUM prequisites are met.
    If no new additions made, you can skip the
    YUM install check to speed up upgrade time.
    
    [y/n]: n
    **********************************************************************
    * Nginx Update script - Included in Centmin Extras
    * Version: 1.2.3-eva2000.07 - Date: 30/06/2014 - Copyright 2011-2014 CentminMod.com
    **********************************************************************
    This software comes with no warranty of any kind. You are free to use
    it for both personal and commercial use as licensed under the GPL.
    Nginx Upgrade - Would you like to continue? [y/n] y
    
    Install which version of Nginx? (version i.e. 1.7.2}): 1.7.2
    
    Do you want to recompile OpenSSL ? Only needed if you updated OpenSSL version in centmin.sh [y/n]: n
    sslpatch.centminmod.com-patchedok_00.png
    sslpatch.centminmod.com-patchedok_01.png

    sslpatch.centminmod.com Nginx vhost

    Code:
    server {
                listen   80;
                server_name sslpatch.centminmod.com;
                return 301 https://$server_name$request_uri;
           }
    
    server {
    listen 443 ssl spdy;
      server_name sslpatch.centminmod.com www.sslpatch.centminmod.com;
    
            add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
            add_header Alternate-Protocol 443:npn-spdy/3;
            ssl_certificate      /usr/local/nginx/conf/ssl/centminmod.comwild/centminmod-unified.crt;
            ssl_certificate_key  /usr/local/nginx/conf/ssl/centminmod.comwild/centminmod.com.key;
            ssl_session_cache      shared:SSL:10m;
            ssl_session_timeout  5m;
    
        #cloudflare
        ssl_protocols   SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers     EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5;
    
            ssl_prefer_server_ciphers   on;
            spdy_headers_comp 5;
            ssl_buffer_size 4000;
            ssl_session_tickets on;
    
    # enable ocsp stapling
            resolver 8.8.8.8 8.8.4.4 valid=10m;
            resolver_timeout 10s;
            ssl_stapling on;
            ssl_stapling_verify on;
            ssl_trusted_certificate /usr/local/nginx/conf/ssl/centminmod.comwild/centminmod-trusted2.crt;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/sslpatch.centminmod.com/log/access.log combined buffer=32k;
      error_log /home/nginx/domains/sslpatch.centminmod.com/log/error.log;
    
      root /home/nginx/domains/sslpatch.centminmod.com/public;
    
      location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      autoindex  on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      #try_files            $uri $uri/ /index.php;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
    }
    edit: committed Cloudflare kill RC4 patch to .08 beta (not yet public)

    sourcetree_cloudflare_patch_commit_00.png

    ah found a typo :D

    sourcetree_cloudflare_patch_commit_01.png

    Instructions for Centmin Mod v1.2.3-eva2000.07 stable users to implement

    1. find centmin.sh line 239 or 240

    Code:
    OPENSSL_VERSION='1.0.1i'   # Use this version of OpenSSL
    add after that line the following
    Code:
    CLOUDFLARE_PATCHSSL='n'    # set 'y' to implement Cloudflare's kill RC4 patch https://github.com/cloudflare/sslconfig
    set it 'y' to enable patching or leave at 'n' to NOT use the patch

    2. edit inc/openssl_install.inc and add after line 19 the following or replace inc/openssl_install.inc with contents from this file at inc/openssl_install.inc for cloudflare rc4 kill patch

    Code:
    if [[ "$CLOUDFLARE_PATCHSSL" = [yY] ]]; then
        # if [[ "${OPENSSL_VERSION}" = '1.0.1i' ]]; then
            echo  "###################################"
            echo "Patching OpenSSL 1.0.1i"
            echo  "###################################"
            echo "Cloudflare RC4 kill patch"
            echo "https://github.com/cloudflare/sslconfig/blob/master/patches/openssl__disable_rc4.patch"
            echo  "####################################"
            pushd ssl
            rm -rf openssl__disable_rc4.patch
            wget -cnv --no-check-certificate https://github.com/cloudflare/sslconfig/raw/master/patches/openssl__disable_rc4.patch
            patch < openssl__disable_rc4.patch
            popd
            echo  "####################################"
            echo  "OpenSSL 1.0.1i patched"
            echo  "####################################"
        # fi
    fi # CLOUDFLARE_PATCHSSL
    3. then run centmin.sh option 4 to recompile Nginx and specific 1.7.2 version, no to both yum check and openssl recompile

    4. change your Nginx SPDY SSL vhost's ssl_protocals and ssl_ciphers to the following Cloudflare ones

    Code:
        #cloudflare
        ssl_protocols   SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers     EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5;
    5. restart Nginx web server
    Code:
    ngxrestart
     
    Last edited: Sep 30, 2014
  17. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    8:30 AM
    Mainline
    10.2
    Running this patch now :D
    Thanks a lot!
     
  18. eva2000

    eva2000 Administrator Staff Member

    54,052
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    10:30 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yeah Nginx 1.7.3 is out in a day or so, so will run the patch on this forum's server with Nginx 1.7.3 :)
     
  19. BamaStangGuy

    BamaStangGuy Active Member

    668
    192
    43
    May 25, 2014
    Ratings:
    +272
    Local Time:
    6:30 PM
    Code:
    [root@aspies centmin-v1.2.3mod]# ./centmin.sh
    ###################################
    Patching OpenSSL 1.0.1h
    ###################################
    Cloudflare RC4 kill patch
    https://github.com/cloudflare/sslconfig/blob/master/patches/openssl__disable_rc4.patch
    ####################################
    inc/openssl_install.inc: line 30: pushd: ssl: No such file or directory
    2014-07-06 23:38:00 URL:https://raw.githubusercontent.com/cloudflare/sslconfig/master/patches/openssl__disable_rc4.patch [812/812] -> "openssl__disable_rc4.patch" [1]
    can't find file to patch at input line 15
    Perhaps you should have used the -p or --strip option?
    The text leading up to this was:
    --------------------------
    |From 0eee93c85b7ebe0778c525baa36f368799c4390c Mon Sep 17 00:00:00 2001
    |From: Piotr Sikora <piotr@cloudflare.com>
    |Date: Tue, 21 Jan 2014 19:58:04 -0800
    |Subject: [PATCH] Disable RC4 for TLS v1.1+ (server-side).
    |
    |Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
    |---
    | ssl/s3_lib.c | 5 +++++
    | 1 file changed, 5 insertions(+)
    |
    |diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
    |index c4ef273..ecd7682 100644
    |--- a/ssl/s3_lib.c
    |+++ b/ssl/s3_lib.c
    --------------------------
    
    File to patch: 
    
     
  20. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    8:30 AM
    Mainline
    10.2
    Opz, why is I got this when I run ./centmin.sh:
    Code:
    # ./centmin.sh
    ###################################
    Patching OpenSSL 1.0.1h
    ###################################
    Cloudflare RC4 kill patch
    https://github.com/cloudflare/sslconfig/blob/master/patches/openssl__disable_rc4.patch
    ####################################
    inc/openssl_install.inc: line 30: pushd: ssl: No such file or directory
    2014-07-07 11:38:10 URL:https://raw.githubusercontent.com/cloudflare/sslconfig/master/patches/openssl__disable_rc4.patch [812/812] -> "openssl__disable_rc4.patch" [1]
    can't find file to patch at input line 15
    Perhaps you should have used the -p or --strip option?
    The text leading up to this was:
    --------------------------
    |From 0eee93c85b7ebe0778c525baa36f368799c4390c Mon Sep 17 00:00:00 2001
    |From: Piotr Sikora <piotr@cloudflare.com>
    |Date: Tue, 21 Jan 2014 19:58:04 -0800
    |Subject: [PATCH] Disable RC4 for TLS v1.1+ (server-side).
    |
    |Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
    |---
    | ssl/s3_lib.c | 5 +++++
    | 1 file changed, 5 insertions(+)
    |
    |diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
    |index c4ef273..ecd7682 100644
    |--- a/ssl/s3_lib.c
    |+++ b/ssl/s3_lib.c
    --------------------------
    File to patch: