Get the most out of your Centmin Mod LEMP stack
Become a Member

OpenSSL OpenSSL 1.1.1 Released with TLS 1.3 Support

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Sep 11, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    36,387
    7,992
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,304
    Local Time:
    4:09 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Finally, OpenSSL 1.1.1 has been released with TLS 1.3 support. Note TLS 1.3 draft 23 and 28 have been removed from OpenSSL 1.1.1 so that only TLS 1.3 final version is supported. Read further below to see how you can enable Nginx 1.15 with TLS 1.3 support via OpenSSL 1.1.1.
    /news/openssl-1.1.1-notes.html
     
    Last edited: Sep 12, 2018
  2. eva2000

    eva2000 Administrator Staff Member

    36,387
    7,992
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,304
    Local Time:
    4:09 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    For Centmin Mod 123.09beta01+ and new users, they can switch from OpenSSL 1.1.0 branch defaults to OpenSSL 1.1.1 via setting in persistent config file at /etc/centminmod/custom_config.inc set prior to centmin.sh menu option 4 Nginx compiles the following override variable
    Code (Text):
    OPENSSL_VERSION='1.1.1'
    

    Then
    by running centmin.sh menu option 4 Nginx recompile and when prompted enter latest nginx mainline version number which at time of writing = 1.15.3 (now 1.15.5 is latest)

    Eventually you will be able to remove OPENSSL_VERSION='1.1.1' from persistent config file as Centmin Mod 123.09beta01 will be updated to default to OPENSSL_VERSION='1.1.1'. Edit 123.09beta01 now is updated to default to OPENSSL_VERSION='1.1.1' so no need to set it via persistent config file at /etc/centminmod/custom_config.inc

    End result is Nginx compiled with OpenSSL 1.1.1 GA stable release
    For Centmin Mod Nginx the default ssl ciphers are made for OpenSSL and LibreSSL and BoringSSL usage and are defined as follows - TLS 1.3 ciphers are dynamically added only if TLS 1.3 OpenSSL crypto library is detected at Nginx compile time. So for TLS 1.3 detected Centmin Mod Nginx created vhost site the ssl_ciphers would be defined as
    Code (Text):
    ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
    

    For existing Centmin Mod Nginx HTTPS vhosts, you would need to manually update your ssl_ciphers line to the above configuration and then restart Nginx server.

    SSLLabs unfortuantely supports TLS 1.3 draft 28 right now so testing via SSL Server Test (Powered by Qualys SSL Labs) won't report TLS 1.3 enabled. Opera latest browser doesn't support TLS 1.3 final version but Chrome Canary 70 version supports TLS 1.3 final version. If you want to use TLS 1.3 with current Chrome 69 which supports TLS 1.3 draft 28, you would need to switch Centmin Mod Nginx over from OpenSSL to using BoringSSL which has been modified to support TLS 1.3 final version and patched to re-add TLS 1.3 draft 23 and 28 support.

    cmm-nginx-openssl-1.1.1-final-canary-tls13-01.png

    testssl command line does report TLS 1.3 final version though
    Code (Text):
     Testing protocols via sockets except NPN+ALPN
    
     SSLv2      not offered (OK)
     SSLv3      not offered (OK)
     TLS 1      offered
     TLS 1.1    offered
     TLS 1.2    offered (OK)
     TLS 1.3    offered (OK): final
     NPN/SPDY   not offered
     ALPN/HTTP2 h2, http/1.1 (offered)
    

    testssl server cipher preferences
    Code (Text):
     Testing cipher categories
    
     NULL ciphers (no encryption)                  not offered (OK)
     Anonymous NULL Ciphers (no authentication)    not offered (OK)
     Export ciphers (w/o ADH+NULL)                 not offered (OK)
     LOW: 64 Bit + DES encryption (w/o export)     not offered (OK)
     Weak 128 Bit ciphers (SEED, IDEA, RC[2,4])    not offered (OK)
     Triple DES Ciphers (Medium)                   not offered (OK)
     High encryption (AES+Camellia, no AEAD)       offered (OK)
     Strong encryption (AEAD ciphers)              offered (OK)
    

    This testssl run was ran against Centmin Mod 123.09beta01's Nginx HTTP/2 HTTPS site which is configured with Nginx dual RSA+ECDSA letsencrypt SSL certificates so you will see both RSA and ECDSA ssl ciphers listed
    Code (Text):
     Testing ciphers per protocol via OpenSSL plus sockets against the server, ordered by encryption strength
    
    Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (RFC)
    -----------------------------------------------------------------------------------------------------------------------------
    SSLv2
    SSLv3
    TLS 1
     xc014   ECDHE-RSA-AES256-SHA              ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA            
     xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 253   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA          
     x39     DHE-RSA-AES256-SHA                DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA              
     x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA                  
     xc013   ECDHE-RSA-AES128-SHA              ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA            
     xc009   ECDHE-ECDSA-AES128-SHA            ECDH 253   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA          
     x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA              
     x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA                  
    TLS 1.1
     xc014   ECDHE-RSA-AES256-SHA              ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA            
     xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 253   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA          
     x39     DHE-RSA-AES256-SHA                DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA              
     x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA                  
     xc013   ECDHE-RSA-AES128-SHA              ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA            
     xc009   ECDHE-ECDSA-AES128-SHA            ECDH 253   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA          
     x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA              
     x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA                  
    TLS 1.2
     xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384        
     xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 253   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384      
     xc028   ECDHE-RSA-AES256-SHA384           ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384        
     xc024   ECDHE-ECDSA-AES256-SHA384         ECDH 253   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384      
     xc014   ECDHE-RSA-AES256-SHA              ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA            
     xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 253   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA          
     x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384          
     x6b     DHE-RSA-AES256-SHA256             DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256          
     x39     DHE-RSA-AES256-SHA                DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA              
     x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384              
     x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256              
     x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA                  
     xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 253   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256        
     xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 253   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256      
     xc027   ECDHE-RSA-AES128-SHA256           ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256        
     xc023   ECDHE-ECDSA-AES128-SHA256         ECDH 253   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256      
     xc013   ECDHE-RSA-AES128-SHA              ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA            
     xc009   ECDHE-ECDSA-AES128-SHA            ECDH 253   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA          
     x9e     DHE-RSA-AES128-GCM-SHA256         DH 2048    AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256          
     x67     DHE-RSA-AES128-SHA256             DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256          
     x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA              
     x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256              
     x3c     AES128-SHA256                     RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA256              
     x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA                  
    TLS 1.3
     x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384                        
     x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                  
     x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256
    


    Notes
     
    Last edited: Sep 12, 2018
  3. eva2000

    eva2000 Administrator Staff Member

    36,387
    7,992
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,304
    Local Time:
    4:09 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    OpenSSL 1.1.1 final benchmarks compared to previous ones done at OpenSSL - OpenSSL 1.1.1 TLS 1.3 Nearly Here on same Intel Xeon E3-1270v1 16GB 240GB SSD dedicated server.

    Code (Text):
    /opt/openssl/bin/openssl speed -multi 8 rsa2048 ecdsap256
    
    OpenSSL 1.1.1  11 Sep 2018
    built on: Tue Sep 11 13:56:51 2018 UTC
    options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
    compiler: ccache gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DNDEBUG
                      sign    verify    sign/s verify/s
    rsa 2048 bits 0.000270s 0.000008s   3705.9 127794.2
                                  sign    verify    sign/s verify/s
     256 bits ecdsa (nistp256)   0.0000s   0.0000s 127839.7  37818.4
    


    OpenSSL benchmarks rsa 2048 signs/s rsa 2048 verify/s ecdsa 256bit signs/s ecdsa 256bit verify/s
    LibreSSL 2.7.4 3328.5 64131.1 33773.2 9121.5
    OpenSSL 1.0.2k system 3727.0 128008.2 89762.8 34821.1
    OpenSSL 1.1.0i before ECDSA patch 3710.0 127752.2 86956.5 34483.7
    OpenSSL 1.1.0i after ECDSA patch 3696.9 128008.2 121212.1 37736.7
    OpenSSL 1.1.1-pre2 3706.6 127548.8 112018.1 37743.6
    OpenSSL 1.1.1-pre8 3709.9 127268.6 60036.2 37857.1
    OpenSSL 1.1.1 tls1.3-draft-18 branch 3710.6 127429.3 84342.7 33439.4
    OpenSSL 1.1.1 master (August 18, 2018) 3706.3 127931.8 128299.2 37842.9
    OpenSSL 1.1.1 final (September 11, 2018) 3705.9 127794.2 127839.7 37818.4
     
    • Like Like x 1
  4. bassie

    bassie Active Member

    980
    235
    43
    Apr 29, 2016
    Ratings:
    +694
    Local Time:
    8:09 PM
    • Like Like x 1
  5. eva2000

    eva2000 Administrator Staff Member

    36,387
    7,992
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,304
    Local Time:
    4:09 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    I'd like to say I was watching OpenSSL 1.1.1 release like a hawk, but it was sheer luck and good timing I caught the release announcement :D
     
  6. bassie

    bassie Active Member

    980
    235
    43
    Apr 29, 2016
    Ratings:
    +694
    Local Time:
    8:09 PM
    @eva2000 the hawk, sprinkled with the magic of Australia :)
    But I thought the Honey badger is Australian's finest in case of attentiveness, bravour, brave and so on?
     
    • Funny Funny x 1
  7. eva2000

    eva2000 Administrator Staff Member

    36,387
    7,992
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,304
    Local Time:
    4:09 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    :LOL: now all we need is Nginx 1.15.4 release Roadmap – nginx for OpenSSL 1.1.1 0-RTT support in Nginx :D
     
  8. bassie

    bassie Active Member

    980
    235
    43
    Apr 29, 2016
    Ratings:
    +694
    Local Time:
    8:09 PM
    I prefer Chrome and Firefox TLS 1.3 RFC support above 0-RTT as OpenSSL 1.1.1 TLS 1.3 is quite useless atm.
    Used 0-RTT on a test site but it isn't noticeably faster.
     
    • Informative Informative x 1
  9. Sunka

    Sunka Well-Known Member

    1,021
    281
    83
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +459
    Local Time:
    8:09 PM
    Nginx 1.15.0
    MariaDB 10.2.15
    Any eta for this automatic solution? :)
     
  10. eva2000

    eva2000 Administrator Staff Member

    36,387
    7,992
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,304
    Local Time:
    4:09 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    • Like Like x 1
  11. ahmed

    ahmed Member

    241
    19
    18
    Feb 21, 2017
    Ratings:
    +26
    Local Time:
    8:09 PM
    Hello

    why I am not
    Code (Text):
    nginx version: nginx/1.15.3 (220918-033447)
    built by gcc 6.3.1 20170216 (Red Hat 6.3.1-3) (GCC)
    built with OpenSSL 1.1.0 (compatible; BoringSSL) (running with BoringSSL)
    TLS SNI support enabled
    configure arguments: --with-ld-opt='-Wl,-E -L/usr/local/zlib-cf/lib -L/opt/boringssl/.openssl/lib -lcrypto -lssl -L/usr/local/lib -lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/zlib-cf/lib:/opt/boringssl/.openssl/lib:/usr/local/lib' --with-cc-opt='-I/opt/boringssl/.openssl/include -I/usr/local/zlib-cf/include -I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -Wno-error=strict-aliasing -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=220918-033447 --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.4.2 --add-dynamic-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.32 --add-dynamic-module=../echo-nginx-module-0.61 --add-module=../redis2-nginx-module-0.15 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.33 --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-http_v2_hpack_enc
    
     
  12. eva2000

    eva2000 Administrator Staff Member

    36,387
    7,992
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,304
    Local Time:
    4:09 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  13. ahmed

    ahmed Member

    241
    19
    18
    Feb 21, 2017
    Ratings:
    +26
    Local Time:
    8:09 PM
    strangely I edited that and checked now and it was hashed, will recompile
     
  14. ahmed

    ahmed Member

    241
    19
    18
    Feb 21, 2017
    Ratings:
    +26
    Local Time:
    8:09 PM
    but I notice while compiling it takes sometime on this error

    Code (Text):
    NGX_MAX_ERROR_STR value
    #define NGX_MAX_ERROR_STR   2048
    
     
  15. bassie

    bassie Active Member

    980
    235
    43
    Apr 29, 2016
    Ratings:
    +694
    Local Time:
    8:09 PM
    • Informative Informative x 1
  16. ahmed

    ahmed Member

    241
    19
    18
    Feb 21, 2017
    Ratings:
    +26
    Local Time:
    8:09 PM
    on latest canary shows TLS 1.2 still
    Code (Text):
    nginx version: nginx/1.15.3 (240918-022222)
    built by gcc 6.3.1 20170216 (Red Hat 6.3.1-3) (GCC)
    built with OpenSSL 1.1.1  11 Sep 2018
    TLS SNI support enabled
    configure arguments: --with-ld-opt='-Wl,-E -L/usr/local/zlib-cf/lib -L/usr/local/lib -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/zlib-cf/lib:/usr/local/lib' --with-cc-opt='-I/usr/local/zlib-cf/include -I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -Wno-error=strict-aliasing -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=240918-022222 --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.4.2 --add-dynamic-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.32 --add-dynamic-module=../echo-nginx-module-0.61 --add-module=../redis2-nginx-module-0.15 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.33 --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-http_v2_hpack_enc --with-openssl=../openssl-1.1.1 --with-openssl-opt='enable-ec_nistp_64_gcc_128 enable-tls1_3'
    
     
  17. eva2000

    eva2000 Administrator Staff Member

    36,387
    7,992
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,304
    Local Time:
    4:09 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    that isn't an error it's nginx routine checking the value of that variable and spitting it out for logging - related to Beta Branch - add NGINX_MAXERRBYTELIMIT variable to adjust NGX_MAX_ERROR_STR hardco…

    Nice thanks for the heads up :)

    looks good.. it should be automated for new nginx vhosts or re-ran centmin.sh after openssl 1.1.1/boringssl update but check /usr/local/nginx/conf/ssl_include.conf if it lists TLSv1.3 as ssl_protocols
    Code (Text):
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    

    then restart nginx
     
  18. eva2000

    eva2000 Administrator Staff Member

    36,387
    7,992
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,304
    Local Time:
    4:09 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    no need to patch, centmin mod 123.09beta01's centmin.sh menu option 4 nginx upgrade supports entering version number = master and it will compile nginx from github master branch latest nginx code so here's nginx 1.15.4 master branch code with TLS 1.3 early data 0-RTT code supported

    nginx config test works with ssl_early_data on directive set in nginx vhost instead of warning that ssl_early_data directive not supported when used with Nginx 1.15.4 master
    Code (Text):
    nginx -t
    nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
    

    Nginx 1.15.3 config test would report such error
    Code (Text):
    nginx -t
    nginx: [warn] "ssl_early_data" is not supported on this platform, ignored
    nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
    

    Similar to BoringSSL TLS 1.3 0-RTT Early Data test with Nginx 1.15.4 master branch - notice the line with 'Early data was accepted' :)
    Code (Text):
    /opt/openssl/bin/openssl s_client -connect domain.com:443 -sess_out session.pem
    
    echo -n | /opt/openssl/bin/openssl s_client -connect domain.com:443 -sess_in session.pem -early_data /tmp/https.txt
    CONNECTED(00000005)
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    ..snipped...
    -----END CERTIFICATE-----
    subject=CN = domain.com
    
    issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    
    ---
    No client certificate CA names sent
    Server Temp Key: X25519, 253 bits
    ---
    SSL handshake has read 245 bytes and written 805 bytes
    Verification error: unable to get local issuer certificate
    ---
    Reused, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
    Server public key is 256 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was accepted
    Verify return code: 20 (unable to get local issuer certificate)
    ---
    DONE
    

    contents of /tmp/https.txt
    Code (Text):
    GET / HTTP/1.1
    Host: domain.com:443
    
     
    Last edited: Sep 25, 2018
  19. eva2000

    eva2000 Administrator Staff Member

    36,387
    7,992
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,304
    Local Time:
    4:09 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    FYI, dev.ssllabs.com now supports testing TLS 1.3 RFC final as well SSL Server Test (Powered by Qualys SSL Labs)

    with Nginx 1.15.4 master + OpenSSL 1.1.1 TLS 1.3 RFC final + dual RSA 2048bit + ECDSA 256bit SSL certificate support :cool:

    dev-ssllabs-cmm-nginx-1.15.4-master-openssl-1.1.1-tls13-01.png
    dev-ssllabs-cmm-nginx-1.15.4-master-openssl-1.1.1-tls13-02.png
    dev-ssllabs-cmm-nginx-1.15.4-master-openssl-1.1.1-tls13-03.png dev-ssllabs-cmm-nginx-1.15.4-master-openssl-1.1.1-tls13-04.png
     
  20. pamamolf

    pamamolf Well-Known Member

    3,117
    295
    83
    May 31, 2014
    Ratings:
    +530
    Local Time:
    9:09 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Do we have to update also the file /usr/local/nginx/conf/ssl_include.conf to manualy add the TLS 1.3 there?
     
..