Join the community today
Register Now

OpenSSL OpenSSL 1.1.1 Beta 4 released

Discussion in 'CentOS, Redhat & Oracle Linux News' started by bassie, May 2, 2018.

Tags:
  1. bassie

    bassie Active Member

    830
    191
    43
    Apr 29, 2016
    Ratings:
    +585
    Local Time:
    2:08 AM
    • Informative Informative x 2
  2. eva2000

    eva2000 Administrator Staff Member

    34,242
    7,576
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,645
    Local Time:
    10:08 AM
    Nginx 1.13.x
    MariaDB 5.5
    Thanks for the heads up. Less than 2 weeks to go ! :D
     
  3. eva2000

    eva2000 Administrator Staff Member

    34,242
    7,576
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,645
    Local Time:
    10:08 AM
    Nginx 1.13.x
    MariaDB 5.5
    Other uses for OpenSSL i.e. stunnel :D
    Code (Text):
    stunnel -v
    [ ] Clients allowed=256000
    [.] stunnel 5.45 on x86_64-pc-linux-gnu platform
    [.] Compiled/running with OpenSSL 1.1.1-pre6 (beta) 1 May 2018
    [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
    [ ] errno: (*__errno_location ())
    [!] Invalid configuration file name "-v"
    [!] realpath: No such file or directory (2)
    [ ] Deallocating section defaults
    

    Code (Text):
    /usr/local/bin/stunnel -v
    [ ] Clients allowed=256000
    [.] stunnel 5.45 on x86_64-pc-linux-gnu platform
    [.] Compiled/running with OpenSSL 1.1.0h  27 Mar 2018
    [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
    [ ] errno: (*__errno_location ())
    [!] Invalid configuration file name "-v"
    [!] realpath: No such file or directory (2)
    [ ] Deallocating section defaults
    

    Code (Text):
    /usr/bin/stunnel -v
    [ ] Clients allowed=256000
    [.] stunnel 5.44 on x86_64-redhat-linux-gnu platform
    [.] Compiled/running with OpenSSL 1.0.2k-fips  26 Jan 2017
    [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
    [ ] errno: (*__errno_location ())
    [!] Invalid configuration file name "-v"
    [!] realpath: No such file or directory (2)
    
     
  4. eva2000

    eva2000 Administrator Staff Member

    34,242
    7,576
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,645
    Local Time:
    10:08 AM
    Nginx 1.13.x
    MariaDB 5.5
    OpenSSL 1.1.1-pre6 (beta4) looking good for boosting custom stunnel performance with ECDSA

    upload_2018-5-8_2-34-8.png

    Running Redis 4.0.9 through an encrypted stunnel 5.45 with TLS v1.3 ECDSA 256bit configuration was the fastest when stunnel compiled with jemalloc 5.0.1 (instead of standard glibc malloc) = 40-50% faster than standard stunnel RSA 2048bit TLS v1.2 config :)

    2 cpu core Intel E5-2670v1 at 2.60Ghz OpenVZ test VPS

    redis-stunnel-benchmarks-01.png

    Redis doesn't natively support SSL so remote Redis servers communicate in plain text unencrypted. But there's a pull request for adding native Redis SSL support. So to secure the traffic folks usually tunnel Redis remote traffic through an encrypted tunnel i.e. use stunnel or spiped but it has a hit on performance due to encryption.
    So for now OpenSSL 1.1.1 doing it's part for faster ECDSA performance thus potentially boosting performance of stunnel if installed and configured optimally :D
    Code (Text):
    stunnel -version
    stunnel 5.45 on x86_64-pc-linux-gnu platform
    Compiled/running with OpenSSL 1.1.1-pre6 (beta) 1 May 2018
    Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
    
     
  5. bassie

    bassie Active Member

    830
    191
    43
    Apr 29, 2016
    Ratings:
    +585
    Local Time:
    2:08 AM
    8th May 2018, release readiness check.
     
  6. eva2000

    eva2000 Administrator Staff Member

    34,242
    7,576
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,645
    Local Time:
    10:08 AM
    Nginx 1.13.x
    MariaDB 5.5
    Sweet if all is well we may see final OpenSSL 1.1.1 today or within next week or so !
     
  7. bassie

    bassie Active Member

    830
    191
    43
    Apr 29, 2016
    Ratings:
    +585
    Local Time:
    2:08 AM
    Yup. On the other side there is absolutely no reason to use OpenSSL 1.1.1.

    0day software is despite the predicate stable, not stable on day 0.
    There are still to many routers with TLS 1.3 problems.
    So using TLS 1.3 is definitely not recommended on production.

    One of the interesting features of OpenSSL 1.1.1 is already applicable to version 1.0:
    OpenSSL - [PATCH]30-40% ECDSA performance improvement - OpenSSL 1.1
     
    • Agree Agree x 1
  8. eva2000

    eva2000 Administrator Staff Member

    34,242
    7,576
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,645
    Local Time:
    10:08 AM
    Nginx 1.13.x
    MariaDB 5.5
    Indeed web browsers - hurry up with latest TLSv1.3 draft too !
     
  9. eva2000

    eva2000 Administrator Staff Member

    34,242
    7,576
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,645
    Local Time:
    10:08 AM
    Nginx 1.13.x
    MariaDB 5.5
    Yeah just updated Centmin Mod 123.09beta01 with variable to try to disable TLS v1.3 in OpenSSL 1.1.1 if users want to Beta Branch - add OPENSSL_TLSONETHREE TLSv1.3 control variable for OpenSSL 1.1.1

    i.e.
    excerpt of nginx compile routine related to OpenSSL 1.1.1-pre6
    Code (Text):
    make[1]: Entering directory `/svr-setup/nginx-1.13.12'
    cd ../pcre-8.42 \
    && if [ -f Makefile ]; then make distclean; fi \
    && CC="ccache gcc" CFLAGS="-O2 -fomit-frame-pointer -pipe " \
    ./configure --disable-shared  --enable-jit
    cd ../openssl-1.1.1-pre6 \
    && if [ -f Makefile ]; then make clean; fi \
    && ./config --prefix=/svr-setup/nginx-1.13.12/../openssl-1.1.1-pre6/.openssl no-shared no-threads enable-ec_nistp_64_gcc_128 no-tls1_3 \
    && make \
    && make install_sw LIBDIR=lib
     
  10. bassie

    bassie Active Member

    830
    191
    43
    Apr 29, 2016
    Ratings:
    +585
    Local Time:
    2:08 AM
    I fully understand the web creators.

    With this Umpa Lumpa behavior of the TLS 1.3 standard commission.
    You consciously wait 3 times longer because otherwise you can flee a lot of time and money again, after the commission, get a nice idea and start all over the standard again.
     
    • Like Like x 1
  11. bassie

    bassie Active Member

    830
    191
    43
    Apr 29, 2016
    Ratings:
    +585
    Local Time:
    2:08 AM
    • Agree Agree x 1
  12. eva2000

    eva2000 Administrator Staff Member

    34,242
    7,576
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,645
    Local Time:
    10:08 AM
    Nginx 1.13.x
    MariaDB 5.5
    Yeah - may even have a delayed release ?
     
  13. bassie

    bassie Active Member

    830
    191
    43
    Apr 29, 2016
    Ratings:
    +585
    Local Time:
    2:08 AM
    Sure. That is possible. Even though the developers have never given a fixed release date. The first possibility is May 15th. That is there. More is not there.
     
    • Agree Agree x 1
  14. bassie

    bassie Active Member

    830
    191
    43
    Apr 29, 2016
    Ratings:
    +585
    Local Time:
    2:08 AM
    No way a release today (or in the near days).

    TLS 1.3 draft 28 (final) was only added a few hours ago: Suport TLSv1.3 draft 28 · openssl/[email protected]

    Given the fact that they won't release OpenSSL 1.1.1. without the final bits and need to test the code newly added anyway.

     
    • Informative Informative x 1
  15. eva2000

    eva2000 Administrator Staff Member

    34,242
    7,576
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,645
    Local Time:
    10:08 AM
    Nginx 1.13.x
    MariaDB 5.5
    Looks like a delayed release as suspected !
     
  16. bassie

    bassie Active Member

    830
    191
    43
    Apr 29, 2016
    Ratings:
    +585
    Local Time:
    2:08 AM
    Confirmed. No OpenSSL 1.1.1 release in the near feature.
     
    • Informative Informative x 1
  17. eva2000

    eva2000 Administrator Staff Member

    34,242
    7,576
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,645
    Local Time:
    10:08 AM
    Nginx 1.13.x
    MariaDB 5.5
    Yeah as suspected more work to be done !

    but awesome pull request - for supporting multiple TLS 1.3 drafts :D

     
  18. bassie

    bassie Active Member

    830
    191
    43
    Apr 29, 2016
    Ratings:
    +585
    Local Time:
    2:08 AM
    Quite useless as discussed here. More useless code is longer wait for final releases, more opportunities:) on bugs etc etc. Less is more.
     
    • Funny Funny x 1
..