Welcome to Centmin Mod Community
Register Now

OpenSSL OpenSSL 1.1.1 First Alpha Pre-Release 1 Out

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Feb 14, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    34,242
    7,576
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,645
    Local Time:
    10:03 AM
    Nginx 1.13.x
    MariaDB 5.5
    For folks like @bassie and I who are following OpenSSL 1.1.1 and TLS1.3 developments, OpenSSL folks have officially announced the first pre-release 1 Alpha build [openssl-announce] OpenSSL version 1.1.1 pre release 1 published :D

    /news/openssl-1.1.1-notes.html

    OpenSSL alpha adds TLS 1.3 support


     
  2. eva2000

    eva2000 Administrator Staff Member

    34,242
    7,576
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,645
    Local Time:
    10:03 AM
    Nginx 1.13.x
    MariaDB 5.5
    Centmin Mod Nginx 1.13.9 (from nginx master branch compiled) with OpenSSL 1.1.1-pre1 alpha + GCC 8.0.1. Seems Centmin Mod Nginx compile routine is missing --with-openssl-opt='enable-tls1_3' option which should of been added. Will have to double check my compile routine to see why auto adding --with-openssl-opt='enable-tls1_3' was skipped when OpenSSL 1.1.1 was detected.
    edit: I remember now. For OpenSSL 1.1.1 dev testing I coded Nginx compile routine to only enable Nginx TLS 1.3 in configuration if persistent config file /etc/centminmod/custom_config.inc variable was added for TLSONETHREE='y'. For testing no production use, persistent config file needed these 3 variables set prior to Nginx recompiles via centmin.sh menu option 4. LIBRESSL_SWITCH='n' tells Nginx to compile with OpenSSL instead of LibreSSL crypto library and OPEENSSL_VERSION set overrides the default 1.1.0g version set.
    Code (Text):
    TLSONETHREE='y'
    LIBRESSL_SWITCH='n'
    OPENSSL_VERSION='1.1.1-pre1'
    

    But looks like I need to rework the TLSONETHREE='y' set routines as I coded TLSONETHREE='y' to take OpenSSL 1.1.1 from Github dev/master branch so it skipped over OpenSSL 1.1.1-pre1 downloaded source code. Guess more work is needed for Centmin Mod Nginx routines :)
    edit 2: ok reworked Nginx compile routines so that TLSONETHREE='y' when set still pulls from OpenSSL 1.1.1-dev master branch code, but when TLSONETHREE variable is not set, it can pull from OpenSSL downloaded version source code i.e. 1.1.1-pre1 source code.

    For 123.09beta01 to update code just run SSH command = cmupdate
    Code (Text):
    cmupdate
    
    remote: Counting objects: 12, done.
    remote: Compressing objects: 100% (1/1), done.
    remote: Total 12 (delta 11), reused 12 (delta 11), pack-reused 0
    Unpacking objects: 100% (12/12), done.
    From https://github.com/centminmod/centminmod
       2da737c..5b0dda6  123.09beta01 -> origin/123.09beta01
    Updating 2da737c..5b0dda6
    Fast-forward
     addons/acmetool.sh      |  5 +++--
     inc/nginx_configure.inc | 29 +++++++++++++++++++++++++++--
     inc/nginx_install.inc   |  5 +++--
     inc/nginx_patch.inc     |  4 ++--
     inc/nginx_upgrade.inc   |  5 +++--
     inc/openssl_install.inc | 22 ++++++++++++++--------
     tools/nv.sh             |  5 +++--
     7 files changed, 55 insertions(+), 20 deletions(-)
    

    So only need to set in persistent config file the following:
    Code (Text):
    LIBRESSL_SWITCH='n'
    OPENSSL_VERSION='1.1.1-pre1'
    

    /usr/local/nginx/conf/ssl_include.conf include file contents which is included in each auto generated Nginx vhost's HTTPS config file i.e. domain.com.ssl.conf
    Code (Text):
    ssl_session_cache      shared:SSL:10m;
    ssl_session_timeout    60m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    
     
  3. bassie

    bassie Active Member

    830
    191
    43
    Apr 29, 2016
    Ratings:
    +585
    Local Time:
    2:03 AM
    What
    Ciphersuites are you using for TLS 1.3?
     
  4. eva2000

    eva2000 Administrator Staff Member

    34,242
    7,576
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,645
    Local Time:
    10:03 AM
    Nginx 1.13.x
    MariaDB 5.5
    haven't updated the ciphers for months since last TLS 1.3 testing but they're currently set to via prefix variable TLSONETHREE_CIPHERS which gets tacked in front of existing ssl cipher set in vhost templates only when TLS 1.3 is detected.
    Code (Text):
    TLSONETHREE_CIPHERS='TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:'
    
     
  5. eva2000

    eva2000 Administrator Staff Member

    34,242
    7,576
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,645
    Local Time:
    10:03 AM
    Nginx 1.13.x
    MariaDB 5.5
    FYI @bassie Cloudflare HPACK patch is broken with Nginx 1.13.9 again hehe - updated 123.09beta01 to temporarily disable NGINX_HPACK='n' when nginx version 1.13.9+ is detected.
    Code (Text):
    patching nginx http/2 full HPACK encoding support
    nginx-1.13.6_http2-hpack.patch
    patch -p1 < /usr/local/src/centminmod/patches/cloudflare/nginx-1.13.6_http2-hpack.patch
    patching file auto/modules
    patching file auto/options
    patching file src/core/ngx_murmurhash.c
    patching file src/core/ngx_murmurhash.h
    patching file src/http/v2/ngx_http_v2.c
    Hunk #1 succeeded at 247 with fuzz 1.
    Hunk #2 succeeded at 2049 with fuzz 1 (offset 27 lines).
    patching file src/http/v2/ngx_http_v2.h
    Hunk #1 succeeded at 53 with fuzz 2 (offset 4 lines).
    Hunk #2 succeeded at 121 (offset 4 lines).
    Hunk #3 succeeded at 176 (offset 7 lines).
    Hunk #4 FAILED at 196.
    Hunk #5 succeeded at 407 (offset 10 lines).
    1 out of 5 hunks FAILED -- saving rejects to file src/http/v2/ngx_http_v2.h.rej
    patching file src/http/v2/ngx_http_v2_filter_module.c
    Hunk #1 succeeded at 26 (offset 1 line).
    Hunk #2 succeeded at 60 with fuzz 2 (offset 12 lines).
    Hunk #3 succeeded at 159 with fuzz 2 (offset 17 lines).
    Hunk #4 succeeded at 437 (offset 28 lines).
    Hunk #5 succeeded at 445 (offset 28 lines).
    Hunk #6 succeeded at 465 (offset 28 lines).
    Hunk #7 succeeded at 512 (offset 28 lines).
    Hunk #8 succeeded at 564 (offset 28 lines).
    Hunk #9 succeeded at 950 (offset 272 lines).
    Hunk #10 succeeded at 976 (offset 272 lines).
    patching file src/http/v2/ngx_http_v2_table.c
    
     
  6. bassie

    bassie Active Member

    830
    191
    43
    Apr 29, 2016
    Ratings:
    +585
    Local Time:
    2:03 AM
    Given the fact that Nginx is adding features to HTTP/2. i.e. server push.
    There is a strong chance to break every release from now on.
    As the both Cloudflare and Nginx features are based in the HTTP/2 stack.
     
    Last edited: Feb 14, 2018
  7. eva2000

    eva2000 Administrator Staff Member

    34,242
    7,576
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,645
    Local Time:
    10:03 AM
    Nginx 1.13.x
    MariaDB 5.5
    Yeah probably.. well this is what we get for living on the bleeding edge :D
     
  8. bassie

    bassie Active Member

    830
    191
    43
    Apr 29, 2016
    Ratings:
    +585
    Local Time:
    2:03 AM
    To bad Cloudflare doesn't update nor release new patches.
    Or to bad that the Nginx team rejects so many features from the outside world.
    The developers forum is full of it.
     
    • Agree Agree x 1
  9. eva2000

    eva2000 Administrator Staff Member

    34,242
    7,576
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,645
    Local Time:
    10:03 AM
    Nginx 1.13.x
    MariaDB 5.5
    Yeah though difficult job at Nginx being the gatekeeper as to what gets added etc. My Centmin Mod project is basically just me adding and modifying code right now. If and when it gets more popular and folks start adding pull requests and features, the decisions as to what gets added or not will get harder heh

    I think I managed to merge and update cloudflare HPACK patch for nginx 1.13.9. First attempt i hit a malformed patch error, but looks like I got it. Will have to spin up h2load to test header space savings for HPACK Full Encoding :D
    Code (Text):
    patching nginx http/2 full HPACK encoding support
    nginx-1.13.9_http2-hpack.patch
    patch -p1 < /usr/local/src/centminmod/patches/cloudflare/nginx-1.13.9_http2-hpack.patch
    patching file auto/modules
    patching file auto/options
    patching file src/core/ngx_murmurhash.c
    patching file src/core/ngx_murmurhash.h
    patching file src/http/v2/ngx_http_v2.c
    Hunk #1 succeeded at 247 with fuzz 1.
    Hunk #2 succeeded at 2049 with fuzz 1 (offset 27 lines).
    patching file src/http/v2/ngx_http_v2.h
    patching file src/http/v2/ngx_http_v2_filter_module.c
    Hunk #1 succeeded at 26 (offset 1 line).
    Hunk #2 succeeded at 60 with fuzz 2 (offset 12 lines).
    Hunk #3 succeeded at 159 with fuzz 2 (offset 17 lines).
    Hunk #4 succeeded at 437 (offset 28 lines).
    Hunk #5 succeeded at 445 (offset 28 lines).
    Hunk #6 succeeded at 465 (offset 28 lines).
    Hunk #7 succeeded at 512 (offset 28 lines).
    Hunk #8 succeeded at 564 (offset 28 lines).
    Hunk #9 succeeded at 950 (offset 272 lines).
    Hunk #10 succeeded at 976 (offset 272 lines).
    patching file src/http/v2/ngx_http_v2_table.c
    

    curl headers check using custom curl 7.59 dev built against OpenSSL 1.1.1-dev for TLS1.3 and nghttp2 1.31 dev support
    Code (Text):
    curl -V
    curl 7.59.0-DEV (x86_64-pc-linux-gnu) libcurl/7.59.0-DEV OpenSSL/1.1.1 zlib/1.2.11 libpsl/0.18.0 (+libidn2/2.0.2) libssh2/1.8.0 nghttp2/1.31.0-DEV
    Release-Date: [unreleased]
    Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
    Features: AsynchDNS IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL
    

    Code (Text):
    curl --tlsv1.3 -Iskv https://http2.domain.com 2>&1 | egrep 'ALPN|SSL connection using '
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * SSL connection using TLSv1.3 / TLS13-AES-128-GCM-SHA256
    * ALPN, server accepted to use h2
    

    Code (Text):
    curl --tlsv1.3 -Ik https://http2.domain.com
    HTTP/2 200
    date: Wed, 14 Feb 2018 03:52:53 GMT
    content-type: text/html; charset=utf-8
    content-length: 6065
    last-modified: Wed, 14 Feb 2018 02:12:18 GMT
    vary: Accept-Encoding
    etag: "5a839b02-17b1"
    server: nginx centminmod
    x-powered-by: centminmod
    accept-ranges: bytes
    

    without custom curl built aginst OpenSSL 1.1.1 dev, you won't get TLS 1.3 support
    Code (Text):
    curl --tlsv1.3 -Ik https://http2.domain.com
    curl: (4) OpenSSL was built without TLS 1.3 support
    


    Nginx 1.13.9 HTTP/2 Full HPACK Encoding Tests



    Good news looks like my updated Cloudflare HPACK Full Encoding patch for Nginx 1.13.9 is working according to h2load header space savings tests.

    Did a 50x run h2load test to see if HTTP/2 HPACK header space savings improves with each subsequent run. See save savings increases from 41% to 94%
    Code (Text):
    h2load --version
    h2load nghttp2/1.31.0-DEV
    

    Code (Text):
    url=https://http2.domain.com
    for i in $(seq 1 50); do echo "h2load run $i"; h2load $url -n $i | tail -6 | head -1; done
    

    Code (Text):
    url=https://http2.domain.com
    
    for i in $(seq 1 50); do echo "h2load run $i"; h2load $url -n $i | tail -6 | head -1; done
    h2load run 1
    traffic: 6.13KB (6272) total, 140B (140) headers (space savings 41.42%), 5.92KB (6065) data
    h2load run 2
    traffic: 12.08KB (12365) total, 150B (150) headers (space savings 68.62%), 11.85KB (12130) data
    h2load run 3
    traffic: 18.03KB (18458) total, 160B (160) headers (space savings 77.68%), 17.77KB (18195) data
    h2load run 4
    traffic: 23.98KB (24551) total, 170B (170) headers (space savings 82.22%), 23.69KB (24260) data
    h2load run 5
    traffic: 29.93KB (30644) total, 180B (180) headers (space savings 84.94%), 29.61KB (30325) data
    h2load run 6
    traffic: 35.88KB (36737) total, 190B (190) headers (space savings 86.75%), 35.54KB (36390) data
    h2load run 7
    traffic: 41.83KB (42830) total, 200B (200) headers (space savings 88.05%), 41.46KB (42455) data
    h2load run 8
    traffic: 47.78KB (48923) total, 210B (210) headers (space savings 89.02%), 47.38KB (48520) data
    h2load run 9
    traffic: 53.73KB (55016) total, 220B (220) headers (space savings 89.77%), 53.31KB (54585) data
    h2load run 10
    traffic: 59.68KB (61109) total, 230B (230) headers (space savings 90.38%), 59.23KB (60650) data
    h2load run 11
    traffic: 65.63KB (67202) total, 240B (240) headers (space savings 90.87%), 65.15KB (66715) data
    h2load run 12
    traffic: 71.58KB (73295) total, 250B (250) headers (space savings 91.28%), 71.07KB (72780) data
    h2load run 13
    traffic: 77.53KB (79388) total, 260B (260) headers (space savings 91.63%), 77.00KB (78845) data
    h2load run 14
    traffic: 83.48KB (85481) total, 270B (270) headers (space savings 91.93%), 82.92KB (84910) data
    h2load run 15
    traffic: 89.43KB (91574) total, 280B (280) headers (space savings 92.19%), 88.84KB (90975) data
    h2load run 16
    traffic: 95.38KB (97667) total, 290B (290) headers (space savings 92.42%), 94.77KB (97040) data
    h2load run 17
    traffic: 101.33KB (103760) total, 300B (300) headers (space savings 92.62%), 100.69KB (103105) data
    h2load run 18
    traffic: 107.28KB (109853) total, 310B (310) headers (space savings 92.79%), 106.61KB (109170) data
    h2load run 19
    traffic: 113.23KB (115946) total, 320B (320) headers (space savings 92.95%), 112.53KB (115235) data
    h2load run 20
    traffic: 119.18KB (122039) total, 330B (330) headers (space savings 93.10%), 118.46KB (121300) data
    h2load run 21
    traffic: 125.13KB (128132) total, 340B (340) headers (space savings 93.23%), 124.38KB (127365) data
    h2load run 22
    traffic: 131.08KB (134225) total, 350B (350) headers (space savings 93.34%), 130.30KB (133430) data
    h2load run 23
    traffic: 137.03KB (140318) total, 360B (360) headers (space savings 93.45%), 136.23KB (139495) data
    h2load run 24
    traffic: 142.98KB (146411) total, 370B (370) headers (space savings 93.55%), 142.15KB (145560) data
    h2load run 25
    traffic: 148.93KB (152504) total, 380B (380) headers (space savings 93.64%), 148.07KB (151625) data
    h2load run 26
    traffic: 154.88KB (158597) total, 390B (390) headers (space savings 93.72%), 153.99KB (157690) data
    h2load run 27
    traffic: 160.83KB (164690) total, 400B (400) headers (space savings 93.80%), 159.92KB (163755) data
    h2load run 28
    traffic: 166.78KB (170783) total, 410B (410) headers (space savings 93.87%), 165.84KB (169820) data
    h2load run 29
    traffic: 172.73KB (176876) total, 420B (420) headers (space savings 93.94%), 171.76KB (175885) data
    h2load run 30
    traffic: 178.68KB (182969) total, 430B (430) headers (space savings 94.00%), 177.69KB (181950) data
    h2load run 31
    traffic: 184.63KB (189062) total, 440B (440) headers (space savings 94.06%), 183.61KB (188015) data
    h2load run 32
    traffic: 190.58KB (195155) total, 450B (450) headers (space savings 94.12%), 189.53KB (194080) data
    h2load run 33
    traffic: 196.53KB (201248) total, 460B (460) headers (space savings 94.17%), 195.45KB (200145) data
    h2load run 34
    traffic: 202.48KB (207341) total, 470B (470) headers (space savings 94.22%), 201.38KB (206210) data
    h2load run 35
    traffic: 208.43KB (213434) total, 480B (480) headers (space savings 94.26%), 207.30KB (212275) data
    h2load run 36
    traffic: 214.38KB (219527) total, 490B (490) headers (space savings 94.30%), 213.22KB (218340) data
    h2load run 37
    traffic: 220.33KB (225620) total, 500B (500) headers (space savings 94.35%), 219.15KB (224405) data
    h2load run 38
    traffic: 226.28KB (231713) total, 510B (510) headers (space savings 94.38%), 225.07KB (230470) data
    h2load run 39
    traffic: 232.23KB (237806) total, 520B (520) headers (space savings 94.42%), 230.99KB (236535) data
    h2load run 40
    traffic: 238.18KB (243899) total, 530B (530) headers (space savings 94.46%), 236.91KB (242600) data
    h2load run 41
    traffic: 244.13KB (249992) total, 540B (540) headers (space savings 94.49%), 242.84KB (248665) data
    h2load run 42
    traffic: 250.08KB (256085) total, 550B (550) headers (space savings 94.52%), 248.76KB (254730) data
    h2load run 43
    traffic: 256.03KB (262178) total, 560B (560) headers (space savings 94.55%), 254.68KB (260795) data
    h2load run 44
    traffic: 261.98KB (268271) total, 570B (570) headers (space savings 94.58%), 260.61KB (266860) data
    h2load run 45
    traffic: 267.93KB (274364) total, 580B (580) headers (space savings 94.61%), 266.53KB (272925) data
    h2load run 46
    traffic: 273.88KB (280457) total, 590B (590) headers (space savings 94.63%), 272.45KB (278990) data
    h2load run 47
    traffic: 279.83KB (286550) total, 600B (600) headers (space savings 94.66%), 278.37KB (285055) data
    h2load run 48
    traffic: 285.78KB (292643) total, 610B (610) headers (space savings 94.68%), 284.30KB (291120) data
    h2load run 49
    traffic: 291.73KB (298736) total, 620B (620) headers (space savings 94.71%), 290.22KB (297185) data
    h2load run 50
    traffic: 297.68KB (304829) total, 630B (630) headers (space savings 94.73%), 296.14KB (303250) data
    

    standalone run check full h2load output
    Code (Text):
    h2load https://http2.domain.com
    starting benchmark...
    spawning thread #0: 1 total client(s). 1 total requests
    TLS Protocol: TLSv1.3
    Cipher: TLS13-AES-128-GCM-SHA256
    Server Temp Key: X25519 253 bits
    Application protocol: h2
    progress: 100% done
    
    finished in 7.18ms, 139.33 req/s, 853.42KB/s
    requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
    status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
    traffic: 6.13KB (6272) total, 140B (140) headers (space savings 41.42%), 5.92KB (6065) data
                         min         max         mean         sd        +/- sd
    time for request:      339us       339us       339us         0us   100.00%
    time for connect:     6.20ms      6.20ms      6.20ms         0us   100.00%
    time to 1st byte:     6.50ms      6.50ms      6.50ms         0us   100.00%
    req/s           :     148.75      148.75      148.75        0.00   100.00%
    


    Nginx 1.13.9 HTTP/2 Server Push Test



    HTTP/2 Server push test with conditional preload link header resource hints which only show up in absence of user cookies set = browser cache aware HTTP/2 Server push implementation
    Code (Text):
    curl --tlsv1.3 -Ik https://http2.domain.com                                     
    HTTP/2 200
    date: Wed, 14 Feb 2018 04:10:04 GMT
    content-type: text/html; charset=utf-8
    content-length: 6033
    last-modified: Wed, 14 Feb 2018 04:07:54 GMT
    vary: Accept-Encoding
    etag: "5a83b61a-1791"
    server: nginx centminmod
    x-powered-by: centminmod
    set-cookie: pushcheckp=puremin
    set-cookie: pushcheckt=grid
    link: </purecss/pure-min.css>; rel=preload; as=style
    link: </purecss/grids-responsive-min.css>; rel=preload; as=style
    accept-ranges: bytes
    

    checking for PUSH_PROMISE frames
    Code (Text):
    nghttp -navs https://http2.domain.com                                                    
    [  0.003] Connected
    [WARNING] Certificate verification failed: self signed certificate
    The negotiated protocol: h2
    [  0.008] send SETTINGS frame <length=12, flags=0x00, stream_id=0>
              (niv=2)
              [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100]
              [SETTINGS_INITIAL_WINDOW_SIZE(0x04):65535]
    [  0.008] send PRIORITY frame <length=5, flags=0x00, stream_id=3>
              (dep_stream_id=0, weight=201, exclusive=0)
    [  0.008] send PRIORITY frame <length=5, flags=0x00, stream_id=5>
              (dep_stream_id=0, weight=101, exclusive=0)
    [  0.008] send PRIORITY frame <length=5, flags=0x00, stream_id=7>
              (dep_stream_id=0, weight=1, exclusive=0)
    [  0.008] send PRIORITY frame <length=5, flags=0x00, stream_id=9>
              (dep_stream_id=7, weight=1, exclusive=0)
    [  0.008] send PRIORITY frame <length=5, flags=0x00, stream_id=11>
              (dep_stream_id=3, weight=1, exclusive=0)
    [  0.008] send HEADERS frame <length=43, flags=0x25, stream_id=13>
              ; END_STREAM | END_HEADERS | PRIORITY
              (padlen=0, dep_stream_id=11, weight=16, exclusive=0)
              ; Open new stream
              :method: GET
              :path: /
              :scheme: https
              :authority: http2.domain.com
              accept: */*
              accept-encoding: gzip, deflate
              user-agent: nghttp2/1.31.0-DEV
    [  0.008] recv SETTINGS frame <length=18, flags=0x00, stream_id=0>
              (niv=3)
              [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):128]
              [SETTINGS_INITIAL_WINDOW_SIZE(0x04):65536]
              [SETTINGS_MAX_FRAME_SIZE(0x05):16777215]
    [  0.008] recv WINDOW_UPDATE frame <length=4, flags=0x00, stream_id=0>
              (window_size_increment=2147418112)
    [  0.009] send SETTINGS frame <length=0, flags=0x01, stream_id=0>
              ; ACK
              (niv=0)
    [  0.009] recv SETTINGS frame <length=0, flags=0x01, stream_id=0>
              ; ACK
              (niv=0)
    [  0.009] recv (stream_id=13) :method: GET
    [  0.009] recv (stream_id=13) :path: /purecss/pure-min.css
    [  0.009] recv (stream_id=13) :authority: http2.domain.com
    [  0.009] recv (stream_id=13) :scheme: https
    [  0.009] recv PUSH_PROMISE frame <length=37, flags=0x04, stream_id=13>
              ; END_HEADERS
              (padlen=0, promised_stream_id=2)
    [  0.009] recv (stream_id=13) :method: GET
    [  0.009] recv (stream_id=13) :path: /purecss/grids-responsive-min.css
    [  0.009] recv (stream_id=13) :authority: http2.domain.com
    [  0.009] recv (stream_id=13) :scheme: https
    [  0.009] recv PUSH_PROMISE frame <length=44, flags=0x04, stream_id=13>
              ; END_HEADERS
              (padlen=0, promised_stream_id=4)
    [  0.009] recv (stream_id=13) :status: 200
    [  0.009] recv (stream_id=13) date: Wed, 14 Feb 2018 04:20:38 GMT
    [  0.009] recv (stream_id=13) content-type: text/html; charset=utf-8
    [  0.009] recv (stream_id=13) last-modified: Wed, 14 Feb 2018 04:07:54 GMT
    [  0.009] recv (stream_id=13) vary: Accept-Encoding
    [  0.009] recv (stream_id=13) etag: W/"5a83b61a-1791"
    [  0.009] recv (stream_id=13) server: nginx centminmod
    [  0.009] recv (stream_id=13) x-powered-by: centminmod
    [  0.009] recv (stream_id=13) set-cookie: pushcheckp=puremin
    [  0.009] recv (stream_id=13) set-cookie: pushcheckt=grid
    [  0.009] recv (stream_id=13) link: </purecss/pure-min.css>; rel=preload; as=style
    [  0.009] recv (stream_id=13) link: </purecss/grids-responsive-min.css>; rel=preload; as=style
    [  0.009] recv (stream_id=13) content-encoding: gzip
    

    Yup they're there :)
    Code (Text):
    [  0.009] recv (stream_id=13) :method: GET
    [  0.009] recv (stream_id=13) :path: /purecss/pure-min.css
    [  0.009] recv (stream_id=13) :authority: http2.domain.com
    [  0.009] recv (stream_id=13) :scheme: https
    [  0.009] recv PUSH_PROMISE frame <length=37, flags=0x04, stream_id=13>
              ; END_HEADERS
              (padlen=0, promised_stream_id=2)
    [  0.009] recv (stream_id=13) :method: GET
    [  0.009] recv (stream_id=13) :path: /purecss/grids-responsive-min.css
    [  0.009] recv (stream_id=13) :authority: http2.domain.com
    [  0.009] recv (stream_id=13) :scheme: https
    [  0.009] recv PUSH_PROMISE frame <length=44, flags=0x04, stream_id=13>
    


    Chrome Canary HTTP/2 Server Push + TLS 1.3 Tests



    Launching Chrome Canary to check out TLS 1.3 and HTTP/2 Server Push on test site which is using self-signed SSL certificate as it's a dummy domain.

    Protocol = TLS 1.3 with Key Exchange Group = X25519 and Cipher AES_128_GCM

    upload_2018-2-14_16-35-31.png

    Strangely Chrome Canary isn't reporting pushed assets, so switched to stable Chrome release on Windows 10

    upload_2018-2-14_17-36-34.png

    upload_2018-2-14_17-46-58.png

    Looks like only Chrome 65 for desktop and android have TLS 1.3 draft 23 supported TLS 1.3 - Chrome Platform Status

     
    • Winner Winner x 1
  10. Revenge

    Revenge Active Member

    392
    83
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +294
    Local Time:
    1:03 AM
    1.9.x
    10.1.x
    Do you have this HPACK patch on your github? So i can use it when Nginx releases 1.13.9.
     
  11. Revenge

    Revenge Active Member

    392
    83
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +294
    Local Time:
    1:03 AM
    1.9.x
    10.1.x
    Ok, i found it. I was looking at your stable branch instead of the beta one.
     
    • Like Like x 1
  12. eva2000

    eva2000 Administrator Staff Member

    34,242
    7,576
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,645
    Local Time:
    10:03 AM
    Nginx 1.13.x
    MariaDB 5.5
  13. Revenge

    Revenge Active Member

    392
    83
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +294
    Local Time:
    1:03 AM
    1.9.x
    10.1.x
    • Like Like x 1
  14. bassie

    bassie Active Member

    830
    191
    43
    Apr 29, 2016
    Ratings:
    +585
    Local Time:
    2:03 AM
    @eva2000 Your patch is broken with the latest master (server push gzip patch).
    Could you fix this.

     
  15. eva2000

    eva2000 Administrator Staff Member

    34,242
    7,576
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,645
    Local Time:
    10:03 AM
    Nginx 1.13.x
    MariaDB 5.5
    broke how ? HPACK patch fails to patch ? and/or not compiling nginx master 1.13.9 or you mean HTTP/2 HPACK Full Encoding isn't working ?

    I just checked HPACK patching works..
    Code (Text):
    patching nginx http/2 full HPACK encoding support
    nginx-1.13.9_http2-hpack.patch
    patch -p1 < /usr/local/src/centminmod/patches/cloudflare/nginx-1.13.9_http2-hpack.patch
    patching file auto/modules
    Hunk #1 succeeded at 437 (offset 1 line).
    patching file auto/options
    patching file src/core/ngx_murmurhash.c
    patching file src/core/ngx_murmurhash.h
    patching file src/http/v2/ngx_http_v2.c
    Hunk #1 succeeded at 274 with fuzz 1 (offset 27 lines).
    Hunk #2 succeeded at 2076 with fuzz 1 (offset 54 lines).
    patching file src/http/v2/ngx_http_v2.h
    Hunk #6 succeeded at 414 (offset -1 lines).
    patching file src/http/v2/ngx_http_v2_filter_module.c
    Hunk #1 succeeded at 26 (offset 1 line).
    Hunk #2 succeeded at 88 with fuzz 2 (offset 40 lines).
    Hunk #3 succeeded at 187 with fuzz 2 (offset 45 lines).
    Hunk #4 succeeded at 465 (offset 56 lines).
    Hunk #5 succeeded at 473 (offset 56 lines).
    Hunk #6 succeeded at 493 (offset 56 lines).
    Hunk #7 succeeded at 540 (offset 56 lines).
    Hunk #8 succeeded at 592 (offset 56 lines).
    Hunk #9 succeeded at 1025 (offset 347 lines).
    Hunk #10 succeeded at 1051 (offset 347 lines).
    patching file src/http/v2/ngx_http_v2_table.c
    


    nginx 1.13.9 from master compiles fine
    h2load testing HTTP/2 HPACK Full Encoding also works ~93% HTTP/2 header space savings after 20 runs
    Code (Text):
    url=https://http2.domain.com
    
    for i in $(seq 1 20); do echo "h2load run $i"; h2load $url -n $i | tail -6 | head -1; done
    
    h2load run 1
    traffic: 6.20KB (6350) total, 250B (250) headers (space savings 38.12%), 5.89KB (6033) data
    h2load run 2
    traffic: 12.12KB (12415) total, 264B (264) headers (space savings 67.33%), 11.78KB (12066) data
    h2load run 3
    traffic: 18.05KB (18480) total, 278B (278) headers (space savings 77.06%), 17.67KB (18099) data
    h2load run 4
    traffic: 23.97KB (24545) total, 292B (292) headers (space savings 81.93%), 23.57KB (24132) data
    h2load run 5
    traffic: 29.89KB (30610) total, 306B (306) headers (space savings 84.85%), 29.46KB (30165) data
    h2load run 6
    traffic: 35.82KB (36675) total, 320B (320) headers (space savings 86.80%), 35.35KB (36198) data
    h2load run 7
    traffic: 41.74KB (42740) total, 334B (334) headers (space savings 88.19%), 41.24KB (42231) data
    h2load run 8
    traffic: 47.66KB (48805) total, 348B (348) headers (space savings 89.23%), 47.13KB (48264) data
    h2load run 9
    traffic: 53.58KB (54870) total, 362B (362) headers (space savings 90.04%), 53.02KB (54297) data
    h2load run 10
    traffic: 59.51KB (60935) total, 376B (376) headers (space savings 90.69%), 58.92KB (60330) data
    h2load run 11
    traffic: 65.43KB (67000) total, 390B (390) headers (space savings 91.22%), 64.81KB (66363) data
    h2load run 12
    traffic: 71.35KB (73065) total, 404B (404) headers (space savings 91.67%), 70.70KB (72396) data
    h2load run 13
    traffic: 77.28KB (79130) total, 418B (418) headers (space savings 92.04%), 76.59KB (78429) data
    h2load run 14
    traffic: 83.20KB (85195) total, 432B (432) headers (space savings 92.36%), 82.48KB (84462) data
    h2load run 15
    traffic: 89.12KB (91260) total, 446B (446) headers (space savings 92.64%), 88.37KB (90495) data
    h2load run 16
    traffic: 95.04KB (97325) total, 460B (460) headers (space savings 92.88%), 94.27KB (96528) data
    h2load run 17
    traffic: 100.97KB (103390) total, 474B (474) headers (space savings 93.10%), 100.16KB (102561) data
    h2load run 18
    traffic: 106.89KB (109455) total, 488B (488) headers (space savings 93.29%), 106.05KB (108594) data
    h2load run 19
    traffic: 112.81KB (115520) total, 502B (502) headers (space savings 93.46%), 111.94KB (114627) data
    h2load run 20
    traffic: 118.74KB (121585) total, 516B (516) headers (space savings 93.61%), 117.83KB (120660) data
    


    To troubleshoot, you need to check the full nginx upgrade log at /root/centminlogs and instructions under Sharing logs and errors heading for using Pastebin.com or Gists to share a sanitised version of the contents of the nginx_upgrade.log log. You can see full details at How to troubleshoot Centmin Mod initial install issues

    if you type this command it lists all logs in date ascending order so latest log at bottom
    Code (Text):
    ls -lArt /root/centminlogs

    so copy the entire contents of latest nginx_upgrade log to gist.github.com or pastebin.com

    you can use grep to filter the logs, i.e. look for nginx_upgrade in log name
    Code (Text):
    ls -lahrt /root/centminlogs/ | grep nginx_upgrade
    -rw-r--r--  1 root root 3.2M Oct 11 15:55 centminmod_1.2.3-eva2000.09.001_111016-155345_nginx_upgrade.log
    -rw-r--r--  1 root root 672K Oct 11 22:06 centminmod_1.2.3-eva2000.09.001_111016-220515_nginx_upgrade.log

    So the last nginx upgrade log was named centminmod_1.2.3-eva2000.09.001_111016-220515_nginx_upgrade.log and located at /root/centminlogs/centminmod_1.2.3-eva2000.09.001_111016-220515_nginx_upgrade.log

    then use cat command to output the contents of that log

    clear your ssh window buffer/screen and type
    Code (Text):
    cat /root/centminlogs/centminmod_1.2.3-eva2000.09.001_111016-220515_nginx_upgrade.log

    then select and copy and paste output to pastebin.com or gist.github.com file to share. If your SSH client's scroll buffer isn't large enough using cat might not output the entire log file contents, so you may need to download the log and use local text editor to open and copy and paste.

    so only need content of one specific log, in this case most recent nginx_upgrade.log log
     
  16. bassie

    bassie Active Member

    830
    191
    43
    Apr 29, 2016
    Ratings:
    +585
    Local Time:
    2:03 AM
    Sorry pffff ...... seems RPM building thing while only patching 1 thing.
    Patching the code stand alone is working fine.
    But via SRPM:

     
    • Informative Informative x 1
  17. eva2000

    eva2000 Administrator Staff Member

    34,242
    7,576
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,645
    Local Time:
    10:03 AM
    Nginx 1.13.x
    MariaDB 5.5
    Ah SRPM building I see :)
     
..