Join the community today
Register Now

OpenSSL [PATCH] OpenSSL 1.1 Equal-preference groups of cipher suites

Discussion in 'CentOS, Redhat & Oracle Linux News' started by bassie, Jul 8, 2017.

  1. bassie

    bassie Active Member

    556
    121
    43
    Apr 29, 2016
    Ratings:
    +368
    Local Time:
    6:29 AM
    This patch implements BoringSSL's equal-preference groups of cipher suites in OpenSSL 1.1.

    Why?
    One of the best parts of BoringSSL + Nginx in contrast to OpenSSL 1.1 + Nginx is equal-preference groups of cipher suites (If you ask me). As upstream OpenSSL 1.1 won't support equal-preference groups of cipher suites.

    BoringSSL not interesting to use?
    Not that really as BoringSSL is not supporting: Online Certificate Status Protocol (OCSP) on the server side (i.e. Nginx).
    Also developers do not recommend it:

    Whats about Cloudflare's patch?
    Cloudflare's (current opensource) OpenSSL 1.0.2 + OpenSSL 1.1 patch is, in fact a hack.
    It hacks the OpenSSL code to ensure it (ChaCha) is only taken if it is the client's top cipher choice.

    As shown to the latest Cloudlare, Nginx configuration file on GitHub.
    Cloudflare recently switched to a similar type, decent 'non hack' solution of equal-preference groups solution.

    But their patch is not (yet) released (Opensourced).
    Therefore my patch, and of course, Im using it myself for a while now.

    Howto
    Patch the OpenSSL 1.1f code with this patch before you are compiling Nginx with OpenSSL 1.1f.
    Change your Nginx ssl_ciphers parameter to Cloudflare's latest config.

    Done.

    As I am using other sources then my own i.e. Google BoringSSL's opensource-source, please note that all glory and fame goes to them.
    Not to the undersigned (me).

    The purpose of this project is to implement and use the feature equal-preference groups of cipher suites in Nginx with the latest OpenSSL 1.1. stable.
    Initially for own use.

    Nothing less, noting more.
     
    Last edited: Jul 8, 2017
    • Like Like x 1
    • Informative Informative x 1
  2. eva2000

    eva2000 Administrator Staff Member

    30,909
    6,908
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,404
    Local Time:
    3:29 PM
    Nginx 1.13.x
    MariaDB 5.5
  3. bassie

    bassie Active Member

    556
    121
    43
    Apr 29, 2016
    Ratings:
    +368
    Local Time:
    6:29 AM
    Didn't know Cloudflare switched to BoringSSL.
    BoringSSL is releasing new features a lot faster then OpenSSL.
    For example TLS 1.3.

    Seems Cloudflare is using BoringSSL as branch with backported OpenSSL features (OSCP, old chacha etc).
    They should have a good reason to use BoringSSL as foundation.

    This is not a good prospect for the fans of their patches.
    As code can change everywhere, every release, so patch code must change to prevent code breaks.

    Looking at BoringSSL's release window, almost every month a new release: 3071, 3112 etc.

    No reason for Cloudflare to release new patches as one single patch already generates a lot questions via Github's issues.
    And patch code breaking again and again a whole lot more.
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,909
    6,908
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,404
    Local Time:
    3:29 PM
    Nginx 1.13.x
    MariaDB 5.5
    Indeed it's confusing especially when Cloudflare doesn't fully explain their commits on their sslconfig github repo.
     
  5. bassie

    bassie Active Member

    556
    121
    43
    Apr 29, 2016
    Ratings:
    +368
    Local Time:
    6:29 AM
    It's double of thought.
    Everyone is a little spoiled with their patches ;)

    But I agree with you. If you decide to release something (What they obviously decide for themselves), you should also do it well.
    An thats code + documentation.
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,909
    6,908
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,404
    Local Time:
    3:29 PM
    Nginx 1.13.x
    MariaDB 5.5
    Yeah we are spoiled with all their shared hard work :)

    Shame it's so fragmented too OpenSSL vs LibreSSL vs BoringSSL
     
  7. bassie

    bassie Active Member

    556
    121
    43
    Apr 29, 2016
    Ratings:
    +368
    Local Time:
    6:29 AM
    Bit of own fault. attitude etc of the OpenSSL team.
    Although it has been improved lately.
     
  8. eva2000

    eva2000 Administrator Staff Member

    30,909
    6,908
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,404
    Local Time:
    3:29 PM
    Nginx 1.13.x
    MariaDB 5.5
    yeah .. though LibreSSL doesn't seem that better i.e. last LibreSSL security bug fix release version wasn't even announced or mentioned as a security release and passed over as bug. It's like LibreSSL is afraid to alert to security bugs as they claim to be more secure than OpenSSL. It maybe not their intention, but that's how it came across to me.
     
  9. bassie

    bassie Active Member

    556
    121
    43
    Apr 29, 2016
    Ratings:
    +368
    Local Time:
    6:29 AM
    Many start a fork in an upwelling. But later, it will be remembered that it takes a lot and a lot of time, and after that you see the majority of forks flow away slowly.
     
    • Agree Agree x 1
  10. bassie

    bassie Active Member

    556
    121
    43
    Apr 29, 2016
    Ratings:
    +368
    Local Time:
    6:29 AM
    @eva2000 I have read the twitter page of Cloudflare CTO John Graham-Cumming.
    They are working on a blog post detailing the BoringSSL process and reasoning.

    Maybe with Cloudflare patches for upstream BoringSSL. But I do not think so.
    Too important inside information. Enough competitors who would analyze there patch code, blogs etc. Too expensive (In the greatest sense of the word) to release all of this.
     
  11. eva2000

    eva2000 Administrator Staff Member

    30,909
    6,908
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,404
    Local Time:
    3:29 PM
    Nginx 1.13.x
    MariaDB 5.5
    yeah just wait and see :)
     
  12. bassie

    bassie Active Member

    556
    121
    43
    Apr 29, 2016
    Ratings:
    +368
    Local Time:
    6:29 AM
    On the other side, it does not matter for us.
    BoringSSL, OpenSSL, 1 patch more or less.
    1 % optimization is for Cloudflare big business ( go or no go), but for us, small users, with all due respect, not mission critical.
     
  13. eva2000

    eva2000 Administrator Staff Member

    30,909
    6,908
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,404
    Local Time:
    3:29 PM
    Nginx 1.13.x
    MariaDB 5.5
    indeed, though being a speed performance addict it matters :D
     
  14. bassie

    bassie Active Member

    556
    121
    43
    Apr 29, 2016
    Ratings:
    +368
    Local Time:
    6:29 AM
    I like edgie software like the latest OpenSSL with TLS 1.3, Nginx and to push it to the limit with patches and settings.
    But for mission critical I am of course way more conservative.

    I.e. stability over speed.
    Quality over quantity.

    And more of that kind of rules.
    Customer first.
     
  15. eva2000

    eva2000 Administrator Staff Member

    30,909
    6,908
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,404
    Local Time:
    3:29 PM
    Nginx 1.13.x
    MariaDB 5.5
    True.. though for me, I am both the supplier and the customer :D
     
  16. bassie

    bassie Active Member

    556
    121
    43
    Apr 29, 2016
    Ratings:
    +368
    Local Time:
    6:29 AM
    You are the one ;)