Learn about Centmin Mod LEMP Stack today
Register Now

OpenSSL OpenSSL 1.1.0 is about to released

Discussion in 'CentOS, Redhat & Oracle Linux News' started by buik, Jul 2, 2016.

  1. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    11:34 PM
  2. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    8:34 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  3. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    11:34 PM
    Compressed source package isn't on the OpenSSL server yet.
    Did the name trick a few min's ago without luck.
     
  4. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    11:34 PM
  5. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    8:34 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    To use OpenSSL 1.1.0 in Centmin Mod 123.09beta01 branch's Nginx 1.11.3 just need to set in persistent config file in /etc/centminmod/custom_config.inc to switch from LibreSSL 2.4 back to OpenSSL and specifically set the OPENSSL_VERSION variable to override Centmin Mod default OPENSSL_VERSION='1.0.2h' value (have yet to update 123.09beta01 to default to 1.1.0)
    Code (Text):
    LIBRESSL_SWITCH='n'
    OPENSSL_VERSION='1.1.0'

    then run centmin.sh menu option 4 to recompile Nginx

    however, Nginx 1.11.3 doesn't have the OpenSSL 1.1.0 patches which landed in soon to be Nginx 1.11.4 / master branch so without them you fail to compile Nginx 1.11.3 + OpenSSL 1.1.0
    Code (Text):
            src/event/ngx_event_openssl.c
    src/event/ngx_event_openssl.c:2026:21: error: use of undeclared identifier 'SSL_R_NO_CIPHERS_PASSED'
                || n == SSL_R_NO_CIPHERS_PASSED                          /*  182 */
                        ^
    1 error generated.
    make[1]: *** [objs/src/event/ngx_event_openssl.o] Error 1
    make[1]: Leaving directory `/svr-setup/nginx-1.11.3'
    make: *** [build] Error 2


    Current Centmin Mod 123.09beta01 code was only coded to apply OpenSSL 1.1.0 patches to -pre tagged betas and nginx version <1.11.3. So I updated 123.09beta01 to apply patch for non -pre tagged final 1.1.0 release and nginx versions <1.11.3 (until Nginx 1.11.4 public release). Centmin Mod will skip applying the patch when it detects you want to update to 1.11.4+

    excerpt from centmin.sh menu option 4 run
    Code (Text):
    patching nginx for OpenSSL 1.1.0 pre beta support
    patch -p1 < /usr/local/src/centminmod/patches/nginx/openssl-110pre6.patch
    patching file src/event/ngx_event_openssl.c
    Hunk #1 succeeded at 2023 (offset 24 lines).
    


    So update to latest 123.09beta01 code via centmin.sh menu option 23 submenu option 2

    Code (Text):
    --------------------------------------------------------
         Centmin Mod Menu 123.09beta01 centminmod.com 
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
    12). Zend OpCache Install/Re-install
    13). Install/Reinstall Redis PHP Extension
    14). SELinux disable
    15). Install/Reinstall ImagicK PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2...
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Install/Re-Install
    21). Update - Nginx + PHP-FPM + Siege
    22). Add Wordpress Nginx vhost + Cache Plugin
    23). Update Centmin Mod Code Base
    24). Exit
    --------------------------------------------------------
    Enter option [ 1 - 24 ] 23
    --------------------------------------------------------
    

    Code (Text):
    --------------------------------------------------------
            Centmin Mod Updater Sub-Menu         
    --------------------------------------------------------
    1). Setup Centmin Mod Github Environment
    2). Update Centmin Mod Current Branch
    3). Update Centmin Mod Newer Branch
    4). Exit
    --------------------------------------------------------
    Enter option [ 1 - 4 ] 

    exit centmin.sh menu via option 24 and then change back into /usr/local/src/centminmod directory

    Ensure you still have the persistent config file set to /etc/centminmod/custom_config.inc switch back from default Nginx + LibreSSL 2.4 branch to Nginx + OpenSSL and override default 1.0.2h version with 1.1.0
    Code (Text):
    LIBRESSL_SWITCH='n'
    OPENSSL_VERSION='1.1.0'

    and relaunch centmin.sh and menu option 4 to recompile Nginx 1.11.3 current public mainline release available.

    End result Nginx 1.11.3 + OpenSSL 1.1.0 :D

    On CentOS 7.2 64bit
    Note: OpenSSL paired Nginx takes alot longer to compile than when paired with default out of box LibreSSL. It's one of the reasons I choose LibreSSL for it's compilation speed with Nginx.

    edit: almost forgot openssl folks said that 1.0.x didn't support multi-threaded make but their next release (assuming 1.1.0) would make -j parallel support ? · Issue #298 · openssl/openssl · GitHub

    so updating Centmin Mod 123.09beta01 branch to detect OpenSSL 1.1.0 and enable make -j XX where XX is number of cpu threads available (auto detected by centmin.sh for system cpu thread count).

    seems to have reduced the nginx 1.11.3 recompile time by ~21% to ~31% for with openssl 1.1.0 with the updated code
     
    Last edited: Aug 26, 2016
  6. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    11:34 PM
    Did it passed the Qualys SSL Labs test as written in my post a while ago?
    With the same patch and pre OpenSSL 1.1.0 it crashed at that moment.
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    8:34 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    local virtualbox testing on my laptop right now :)
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    8:34 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Testing if OpenResty Lua Nginx module latest 0.10.6 supports OpenSSL 1.1.0 via persistent config file set to /etc/centminmod/custom_config.inc as OpenResty Lua Nginx modules were disabled by default in Centmin Mod stable and latest 123.09beta01 and only supported in 123.09beta01 when you enable it via ORESTY_LUANGINX='y'
    Code (Text):
    LIBRESSL_SWITCH='n'
    OPENSSL_VERSION='1.1.0'
    
    ORESTY_LUANGINX='y'
    

    unfortunately, OpenResty Lua Nginx 0.10.6 module isn't compatible with OpenSSL 1.1.0 as yet Build fails with OpenSSL 1.1 · Issue #757 · openresty/lua-nginx-module · GitHub
    Code (Text):
            -o objs/addon/src/ngx_http_lua_module.o \
            ../lua-nginx-module-0.10.6/src/ngx_http_lua_module.c
    ../lua-nginx-module-0.10.6/src/ngx_http_lua_module.c:1004:33: error: incompatible pointer types passing 'SSL_SESSION *(SSL *, u_char *, int, int *)' to parameter of type 'SSL_SESSION *(*)(struct ssl_st *, const unsigned char *, int, int *)' [-Werror,-Wincompatible-pointer-types]
                                    ngx_http_lua_ssl_sess_fetch_handler);
                                    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ../openssl-1.1.0/.openssl/include/openssl/ssl.h:619:45: note: passing argument to parameter 'get_session_cb' here
                                 SSL_SESSION *(*get_session_cb) (struct ssl_st
                                                ^
    1 error generated.
    make[1]: *** [objs/addon/src/ngx_http_lua_module.o] Error 1
    make[1]: Leaving directory `/svr-setup/nginx-1.11.3'
    make: *** [install] Error 2
     
  9. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    8:34 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  10. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    11:34 PM
    Simpel SSL Server Test (Powered by Qualys SSL Labs) crashed Nginx completely.
    (downtime, 100% CPU for all CPU's, none responding Nginx, error logs etc)

    But as written in the above post its was the OpenSSL git clone of 25 June.
    More than 2 months ago. Lot could change since then with both Nginx and OpenSSL.
     
  11. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    11:34 PM
    Hmm, you should also add patch code:

    Code:
    Index: src/event/ngx_event_openssl.c
    ===================================================================
    --- a/src/event/ngx_event_openssl.c
    +++ b/src/event/ngx_event_openssl.c
    @@ -2987,5 +2987,5 @@
             ngx_memcpy(name, key[0].name, 16);
     
    -        return 0;
    +        return 1;
     
         } else {
    Otherwise session ticket handling won't work if you build Nginx 1.11.3 + OpenSSL 1.1.0
     
    Last edited: Sep 3, 2016
  12. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    8:34 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    cheers

    Where's the original source of this patch from?

    edit: ah found it nginx: 3eb1a92a2f05 :)
     
    Last edited: Sep 4, 2016
  13. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    8:34 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Updated Centmin Mod 123.09beta01 OpenSSL 1.1.0 patch routine with the additional patch for nginx session tickets. Thanks @bassie for the heads up :)

    Code (Text):
    *************************************************
    Nginx Patch Time - 1 seconds delay
    to allow you to patch files
    *************************************************
      _   _         _                 ___                       ____  ____   _   
     | \ | |  __ _ (_) _ __  __  __  / _ \  _ __    ___  _ __  / ___|/ ___| | | 
     |  \| | / _` || || '_ \ \ \/ / | | | || '_ \  / _ \| '_ \ \___ \\___ \ | | 
     | |\  || (_| || || | | | >  <  | |_| || |_) ||  __/| | | | ___) |___) || |___
     |_| \_| \__, ||_||_| |_|/_/\_\  \___/ | .__/  \___||_| |_||____/|____/ |_____|
             |___/                         |_|                                   
                    _     _     ___    ____         _         _   
                   / |   / |   / _ \  |  _ \  __ _ | |_  ___ | |__
                   | |   | |  | | | | | |_) |/ _` || __|/ __|| '_ \
                   | | _ | | _| |_| | |  __/| (_| || |_| (__ | | | |
                   |_|(_)|_|(_)\___/  |_|    \__,_| \__|\___||_| |_|
                                                                  
    
    patching nginx for OpenSSL 1.1.0 support
    patch -p1 < /usr/local/src/centminmod/patches/nginx/openssl-110pre6.patch
    patching file src/event/ngx_event_openssl.c
    Hunk #1 succeeded at 2023 (offset 24 lines).
    patch -p1 < /usr/local/src/centminmod/patches/nginx/openssl-110ticket.patch
    patching file src/event/ngx_event_openssl.c
    Hunk #1 succeeded at 2985 (offset -1 lines).
    
    nginx patched for OpenSSL 1.1.0


     
  14. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    8:34 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  15. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    11:34 PM
    Releasing the statement and security patch code within 24 hours. Weird time frame, no time to prepare at all.
    For pacthing and updating packages.
     
  16. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    8:34 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Indeed
     
  17. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    11:34 PM
    Seems as they disabled the CVE code addons in Github till tomorrow. :(
     
  18. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    11:34 PM
    CVE patches available at Commits · openssl/openssl · GitHub
    Should not take mutch longer to release the whole version C package.