Learn about Centmin Mod LEMP Stack today
Become a Member

OpenSSL OpenSSL 3.0.0 released

Discussion in 'CentOS, Redhat & Oracle Linux News' started by buik, Sep 8, 2021.

Tags:
  1. buik

    buik “The best traveler is one without a camera.”

    1,672
    461
    83
    Apr 29, 2016
    Flanders
    Ratings:
    +1,442
    Local Time:
    6:10 PM
    OpenSSL 3.0.0 released


    For details of the changes, see the release notes at:

    https://www.openssl.org/news/openssl-3.0-notes.html
     
  2. eva2000

    eva2000 Administrator Staff Member

    48,902
    11,190
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,424
    Local Time:
    2:10 AM
    Nginx 1.21.x
    MariaDB 10.x
    Yup saw the news. Haven't had the time to look at OpenSSL 3.0 since seemed so delayed/long in development and seeing that Nginx HTTP/3 is leaning more towards alternative crypto library using Quiche for both Nginx and Cloudflare implementations. But once I have time Centmin Mod Nginx will eventually support OpenSSL 3.0.
     
  3. buik

    buik “The best traveler is one without a camera.”

    1,672
    461
    83
    Apr 29, 2016
    Flanders
    Ratings:
    +1,442
    Local Time:
    6:10 PM
    Yeah.. The main news is actually what's not in OpenSSL 3.0: QUIC support; needed for Nginx - HTTP/3.

    OpenSSL 3.0 was all in on The United States' Federal Information Processing Standards (FIPS). From a technical standpoint.

    A greater contrast is hardly imaginable:
    Strictly to be used in the US, due to requirements and legislation.
    For many users, because outside the US. Useless.
     
  4. buik

    buik “The best traveler is one without a camera.”

    1,672
    461
    83
    Apr 29, 2016
    Flanders
    Ratings:
    +1,442
    Local Time:
    6:10 PM
    @eva2000 et al.
    I know responding to your own comment is not done.
    On the other hand, it doesn't matter that OpenSSL 3.0.0 doesn't have QUIC/HTTP/3 support yet. HTTP/3 is not yet an internet standard but a development draft.

    Some current browsers support HTTP/3 draft.
    But this has to be enabled manually to be able to use it.
    Usually only power users do this. If they even want this.

    In addition, HTTP/3 is disabled by default at large clubs such as Cloudflare. HTTP/3 must be enabled for both browser and server. Otherwise it won't work.
     
  5. Pasta

    Pasta New Member

    14
    2
    3
    Aug 3, 2021
    Ratings:
    +6
    Local Time:
    12:10 AM
    Nginx 1.21.x
    MariaDB 10.4
    Not true, newest version of chrome & firefox already enables http3 by default.
     
  6. buik

    buik “The best traveler is one without a camera.”

    1,672
    461
    83
    Apr 29, 2016
    Flanders
    Ratings:
    +1,442
    Local Time:
    6:10 PM
    You are absolutely right.
    I was not aware of the HTTP/3 on by default feature.
    I'm Sorry. I should have known better and should consult the up-to-date source before posting.

    I relied on Cloudflare's HTTP/3 page which I visited a while back.
    Cloudflare updated its page a week ago and the source 9 days ago.

    https://developers.cloudflare.com/http3/chrome

    https://github.com/cloudflare/cloud...7dcb650b254124b1e123c051f51b34e295c821acec05b

    https://developers.cloudflare.com/http3/firefox

    https://github.com/cloudflare/cloudflare-docs/commit/1e331ee575779516555dcbb073fd101cb58807ac
     
  7. Revenge

    Revenge Active Member

    467
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    5:10 PM
    1.9.x
    10.1.x
    Anyone tried compiling Nginx with the new OpenSSL 3.0.0?

    Im getting the following error:

    Code:
    make[1]: Leaving directory `/src/nginx-1.21.3'
    make: *** [build] Error 2
    No issues when compiling with OpenSSL 1.1.1l.
     
  8. eva2000

    eva2000 Administrator Staff Member

    48,902
    11,190
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,424
    Local Time:
    2:10 AM
    Nginx 1.21.x
    MariaDB 10.x
    AFAIK, Nginx needs patching for OpenSSL 3.0 so isn't a straight compile like OpenSSL 1.1.1. One reason I haven't even bothered right now given OpenSSL 3.0 doesn't even have anything better than OpenSSL 1.1.1 i.e. HTTP/3 support
     
  9. buik

    buik “The best traveler is one without a camera.”

    1,672
    461
    83
    Apr 29, 2016
    Flanders
    Ratings:
    +1,442
    Local Time:
    6:10 PM
    There is absolutely no reason to use OpenSSL version 3.0.0 right now.
    A higher version is not always better.

    There are several slow downs or OpenSSL 3.0.0 performance issues, Performance degradation with 3.0 etc etc. on multiple platforms versus OpenSSL 1.1.1.
    Most of these problems still exist, even from the alpha era.

    The implementation of the SSL and TLS protocols as OpenSSL delivers is key for Centminmod based sites. Never use 0-day software because there are always bugs in the software. This is not a negative value judgment. This is the disadvantage of developing software. Unfortunately, there are always bugs, glitches and errors.

    So give the developers a few months to a year to fix it and then carefully consider and test it.
    OpenSSL 1.1.1. is currently the recommended version.
     
  10. eva2000

    eva2000 Administrator Staff Member

    48,902
    11,190
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,424
    Local Time:
    2:10 AM
    Nginx 1.21.x
    MariaDB 10.x
    In the past I would of tried OpenSSL 3.0.0 but

    1. don't have the free time to
    2. OpenSSL 3.0.0 doesn't really bring anything worthy/new compared to OpenSSL 1.1.1 right now :)
     
  11. buik

    buik “The best traveler is one without a camera.”

    1,672
    461
    83
    Apr 29, 2016
    Flanders
    Ratings:
    +1,442
    Local Time:
    6:10 PM
    True. The main news is actually what's not in OpenSSL 3.0: QUIC support.
     
  12. eva2000

    eva2000 Administrator Staff Member

    48,902
    11,190
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,424
    Local Time:
    2:10 AM
    Nginx 1.21.x
    MariaDB 10.x
    hmmm OpenSSL 3.0.0 might be slower than OpenSSL 1.1.1 that Centmin Mod Nginx uses https://twitter.com/bagder/status/1454376151607095297 discussion thread

     
  13. buik

    buik “The best traveler is one without a camera.”

    1,672
    461
    83
    Apr 29, 2016
    Flanders
    Ratings:
    +1,442
    Local Time:
    6:10 PM
  14. eva2000

    eva2000 Administrator Staff Member

    48,902
    11,190
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,424
    Local Time:
    2:10 AM
    Nginx 1.21.x
    MariaDB 10.x
  15. buik

    buik “The best traveler is one without a camera.”

    1,672
    461
    83
    Apr 29, 2016
    Flanders
    Ratings:
    +1,442
    Local Time:
    6:10 PM
    I think it would be better if the OpenSSL team had a discussion with key members around OpenSSL and the crypto world. For a better OpenSSL future that better meets market demand. Plenty of knowledge and skills, more than enough good ideas.

    Team OpenSSL has been working on OpenSSL version 3 (with only 1 main key feature: The United States' Federal Information Processing Standards (FIPS)) for the past 3 years that benefits no one unless US based. US based and only if then 'when required by statute'. Now we are going to wait years again for nothing. Because team members of OpenSSL are going to reinvent HTTP/3-QUIC.

    Despite the negative advice of several HTTP/3 Internet Engineering Task Force (IETF) key team members.

    OpenSSL really needs to start looking out that they're not going to get cancelled soon.
    That has happened more often in open source land.
     
    Last edited: Nov 19, 2021
  16. eva2000

    eva2000 Administrator Staff Member

    48,902
    11,190
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,424
    Local Time:
    2:10 AM
    Nginx 1.21.x
    MariaDB 10.x
    Don't forget any time & effort spent on regaining that lost performance from regressions in OpenSSL 3.0!
     
  17. eva2000

    eva2000 Administrator Staff Member

    48,902
    11,190
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,424
    Local Time:
    2:10 AM
    Nginx 1.21.x
    MariaDB 10.x
    It seems while OpenSSL 3.0.x is slower than OpenSSL 1.1.1, there might be some valid reasons to use OpenSSL 3.0.x with Nginx 1.21.4+ if you use a newer Linux 5.2+ Kernel - when you enable TLS in the Kernel (kTLS) support in Nginx which can improve TLS/SSL performance by up to 29% Improving NGINX Performance with Kernel TLS and SSL_sendfile( ) - NGINX

    Something long term to watch and follow the progress for I guess :)

    Some private testing of Nginx with OpenSSL 3.0.1 + PCRE2 :D
    Code (Text):
    nginx -t
    nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
    
    ldd /usr/local/sbin/nginx
           linux-vdso.so.1 =>  (0x00007fff336b4000)
           libpcre2-8.so.0 => /usr/local/nginx-dep/lib/libpcre2-8.so.0 (0x00007f93c3885000)
           libjemalloc.so.1 => /lib64/libjemalloc.so.1 (0x00007f93c34c1000)
           libdl.so.2 => /lib64/libdl.so.2 (0x00007f93c32bd000)
           libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f93c30a1000)
           libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f93c2e6a000)
           libGeoIP.so.1 => /lib64/libGeoIP.so.1 (0x00007f93c2c38000)
           libatomic_ops.so.1 => /usr/local/nginx-dep/lib/libatomic_ops.so.1 (0x00007f93c2a36000)
           libc.so.6 => /lib64/libc.so.6 (0x00007f93c2668000)
           /lib64/ld-linux-x86-64.so.2 (0x00007f93c36f5000)
           libfreebl3.so => /lib64/libfreebl3.so (0x00007f93c2465000)
    
    PKG_CONFIG_PATH='/usr/local/nginx-dep/lib/pkgconfig/' pkg-config --modversion libpcre2-8
    10.39
    PKG_CONFIG_PATH='/usr/local/nginx-dep/lib/pkgconfig/' pkg-config --modversion atomic_ops
    7.6.12
    PKG_CONFIG_PATH='/usr/local/nginx-dep/lib/pkgconfig/' pkg-config --modversion libbrotlienc
    1.0.9
    PKG_CONFIG_PATH='/usr/local/nginx-dep/lib/pkgconfig/' pkg-config --modversion libbrotlidec
    1.0.9
    

    Code (Text):
    /opt/openssl/bin/openssl version -a
    OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021)
    built on: Sun Jan  2 11:32:22 2022 UTC
    platform: linux-x86_64
    options:  bn(64,64)
    compiler: ccache /opt/rh/devtoolset-11/root/usr/bin/gcc -fPIC -pthread -m64 -Wa,--noexecstack -O3 -m64 -march=native -Wimplicit-fallthrough=0 -Wno-implicit-function-declaration -Wno-int-conversion -Wno-unused-result -fcode-hoisting -Wno-cast-function-type -Wno-format-extra-args -Wformat=0 -pipe -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
    OPENSSLDIR: "/opt/openssl"
    ENGINESDIR: "/opt/openssl/lib64/engines-3"
    MODULESDIR: "/opt/openssl/lib64/ossl-modules"
    Seeding source: os-specific
    CPUINFO: OPENSSL_ia32cap=0x7ffaf3bfffebffff:0x27ab
    
     
  18. buik

    buik “The best traveler is one without a camera.”

    1,672
    461
    83
    Apr 29, 2016
    Flanders
    Ratings:
    +1,442
    Local Time:
    6:10 PM
    So Nginx should or could get faster, kTLS with static files.
    Always interesting for high volume sites with lots of images.

    Apparently team OpenSSL is fixing various issues that are OpenSSL 3.0.* speed related.
    I'm curious, anyway, what the latest OpenSSL 3.0.* release does in speed, related to
    Nginx. Nginx + OpenSSL 3.0.* without kTLS v.s. Nginx + OpenSSL 1.1.1.*.

     
    Last edited: Jan 3, 2022
  19. eva2000

    eva2000 Administrator Staff Member

    48,902
    11,190
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,424
    Local Time:
    2:10 AM
    Nginx 1.21.x
    MariaDB 10.x
    Yup but reading the TLS cipher supported list, looks like on RSA certificates/ciphers are supported. Faster ECDSA certificate ciphers don't seem to be supported :(
    Yeah will do some quick tests to see :)