Nginx Nginx ssl cipher suite

rdan · May 17, 2015

I just follow the comment below that page: openssl 1.0.2a : Chacha20-Poly1305 patch failed. · Issue #11 · cloudflare/sslconfig · GitHub
Ops, sorry :|

rdan · May 17, 2015

Just trying to have to have ChaCha20-Poly1305 working :|

eva2000 · May 17, 2015

well i know that patch doesn't work for me on 1.02a

rdan · May 17, 2015

If you spare time, can you point to me the right package? :|
Maybe using another repo/branch of openssl that support ChaCha20..

eva2000 · May 17, 2015

RoldanLT said: ↑

If you spare time, can you point to me the right package? :|
Maybe using another repo/branch of openssl that support ChaCha20..
Click to expand...

search = SSL - Improper ciphers on this site | Centmin Mod Community

rdan · May 17, 2015

So to apply it, I will just replace this: centminmod/downloadlinks.inc at 123.08centos7beta02 · centminmod/centminmod · GitHub ?

rdan · May 17, 2015

Since it has different file name, file content and extension.
I'm confuse a little bit on what files to modify on centmin.

eva2000 · May 17, 2015

RoldanLT said: ↑

So to apply it, I will just replace this: centminmod/downloadlinks.inc at 123.08centos7beta02 · centminmod/centminmod · GitHub ?
Click to expand...

nope remove official one, then manually download (openssl 1.02a chacha one) it in tar.gz format to /svr-setup and rename it to same format as official openssl 1.02a and just recompile Nginx via centmin.sh menu option 4

basically rename the chacha20 package tar.gz and directory to openssl-1.02a equivalent so centmin.sh sees it as just normal openssl-1.02a i.e. rename to openssl-1.0.2a.tar.gz

rdan · May 17, 2015

Thanks a lot :|
Can you please give the right cipher?
I don't want to support older browser/system, just want to have performance

eva2000 · May 17, 2015

add 2 ciphers to existing cipher list SSL - Improper ciphers on this site | Centmin Mod Community
Code:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:

rdan · May 17, 2015

So the config should be?

ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:;
Click to expand...

eva2000 · May 17, 2015

RoldanLT said: ↑

So the config should be?
Click to expand...

that's first 3 ciphers as example but there's the whole list after that so that ain't the whole cipher list. Just take existing cipher list and add 2 chacha ones to front

rdan · May 17, 2015

I'm sorry but I'm confuse :/
Can you please list the one's you use here? If possible.

eva2000 · May 17, 2015

cipher list from Nginx HTTPS / SSL Google SPDY configuration add the 2 in front

Code:

ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;

rdan · May 17, 2015

eva2000 said: ↑

nope remove official one, then manually download (openssl 1.02a chacha one) it in tar.gz format to /svr-setup and rename it to same format as official openssl 1.02a and just recompile Nginx via centmin.sh menu option 4

basically rename the chacha20 package tar.gz and directory to openssl-1.02a equivalent so centmin.sh sees it as just normal openssl-1.02a i.e. rename to openssl-1.0.2a.tar.gz
Click to expand...

So as long as the .tar.gz file and openssl-1.0.2a folder is there (/svr-setup/) it will not be overwritten with default openssl every nginx upgrade?

eva2000 · May 17, 2015

RoldanLT said: ↑

So as long as the .tar.gz file and openssl-1.0.2a folder is there (/svr-setup/) it will not be overwritten with default openssl every nginx upgrade?
Click to expand...

centmin.sh only downloads new one if version number is different in centmin.sh or if .tar.gz doesn't exist. If replaced one has same name, centmin.sh skips download

rdan · May 17, 2015

I think I nailed it?
Please have a look
# cd /svr-setup/
# wget https://github.com/PeterMosmans/openssl/archive/1.0.2-chacha.zip
# unzip 1.0.2-chacha.zip
# rm -rf openssl-1.0.2*
# mv openssl-1.0.2-chacha openssl-1.0.2a
# tar -zcvf openssl-1.0.2a.tar.gz /svr-setup/openssl-1.0.2a
# centmin
# service nginx restart

eva2000 · May 17, 2015

yeah that works or just download tar.gz one
Code:
wget https://github.com/PeterMosmans/openssl/archive/1.0.2-chacha.tar.gz

rdan · May 17, 2015

eva2000 said: ↑
add 2 ciphers to existing cipher list SSL - Improper ciphers on this site | Centmin Mod Community
Code:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:
Click to expand...
Possible to add this cipher of yours on front of https://raw.githubusercontent.com/cloudflare/sslconfig/master/conf ?

eva2000 · May 17, 2015

RoldanLT said: ↑

Possible to add this cipher of yours on front of https://raw.githubusercontent.com/cloudflare/sslconfig/master/conf ?
Click to expand...

try it and see - you can use any ciphers but I put chacha ones at the very front

Log in / Register

Forums

Get the most out of your Centmin Mod LEMP stack

Nginx Nginx ssl cipher suite

rdan Well-Known Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Get the most out of your Centmin Mod LEMP stack

Nginx Nginx ssl cipher suite

rdan Well-Known Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

.