Want to subscribe to topics you're interested in?
Become a Member

Nginx Nginx ssl cipher suite

Discussion in 'Centmin Mod Insights' started by rdan, Jul 7, 2014.

  1. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    7:44 PM
    Mainline
    10.2
  2. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    7:44 PM
    Mainline
    10.2
    Just trying to have to have ChaCha20-Poly1305 working :|
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    9:44 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    well i know that patch doesn't work for me on 1.02a
     
  4. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    7:44 PM
    Mainline
    10.2
    If you spare time, can you point to me the right package? :|
    Maybe using another repo/branch of openssl that support ChaCha20..
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    9:44 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  6. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    7:44 PM
    Mainline
    10.2
  7. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    7:44 PM
    Mainline
    10.2
    Since it has different file name, file content and extension.
    I'm confuse a little bit on what files to modify on centmin.
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    9:44 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    nope remove official one, then manually download (openssl 1.02a chacha one) it in tar.gz format to /svr-setup and rename it to same format as official openssl 1.02a and just recompile Nginx via centmin.sh menu option 4

    basically rename the chacha20 package tar.gz and directory to openssl-1.02a equivalent so centmin.sh sees it as just normal openssl-1.02a i.e. rename to openssl-1.0.2a.tar.gz
     
  9. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    7:44 PM
    Mainline
    10.2
    Thanks a lot :|
    Can you please give the right cipher?
    I don't want to support older browser/system, just want to have performance :)
     
  10. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    9:44 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  11. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    7:44 PM
    Mainline
    10.2
    So the config should be?
     
  12. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    9:44 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    that's first 3 ciphers as example but there's the whole list after that so that ain't the whole cipher list. Just take existing cipher list and add 2 chacha ones to front
     
  13. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    7:44 PM
    Mainline
    10.2
    I'm sorry but I'm confuse :/
    Can you please list the one's you use here? If possible.
     
  14. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    9:44 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    cipher list from Nginx HTTPS / SSL Google SPDY configuration add the 2 in front

    Code:
    ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
     
  15. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    7:44 PM
    Mainline
    10.2
    So as long as the .tar.gz file and openssl-1.0.2a folder is there (/svr-setup/) it will not be overwritten with default openssl every nginx upgrade?
     
  16. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    9:44 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    centmin.sh only downloads new one if version number is different in centmin.sh or if .tar.gz doesn't exist. If replaced one has same name, centmin.sh skips download
     
  17. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    7:44 PM
    Mainline
    10.2
  18. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    9:44 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yeah that works or just download tar.gz one
    Code:
    wget https://github.com/PeterMosmans/openssl/archive/1.0.2-chacha.tar.gz
     
  19. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    7:44 PM
    Mainline
    10.2
  20. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    9:44 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+