Get the most out of your Centmin Mod LEMP stack
Become a Member

OpenSSL [PATCH] OpenSSL 1.1 Equal-preference groups of cipher suites

Discussion in 'CentOS, Redhat & Oracle Linux News' started by buik, Jul 8, 2017.

  1. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    12:23 PM
    Not needed.
    Back-ported a few patches with the same goal, other solution to give priority to Chacha.


    Cloudflare - ChaCha20+Poly1305 if it is the client's most preferred cipher suite.

    Google's BoringSSL - Allows a server to prefer one of AES-GCM or ChaCha20+Poly1305
    ciphers, but to allow the client to pick which one.

    OpenSSL - ChaCha20+Poly1305 if it is the client's and servers most preferred cipher suite. Something more luxurious then option Cloudflare.
    But the same idea. This is the official solution of OpenSSL.
    But not to everyone's desire.
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    9:23 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    cheers updated 123.09beta01 for this optionally and when equal cipher preference group patch is enabled, it will disable smart chacha20 patch :)
     
  3. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    12:23 PM
  4. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    9:23 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah the current cloudflare patches that you shared are only being added optionally to centmin mod 123.09beta01 and only specific to when openssl 1.1.0g is detected and is on a 64bit system. So future openssl versions won't automatically trigger these patches anyway (for now at least). Just getting the code routines in place to support these optionally for now :)
     
  5. upgrade81

    upgrade81 Member

    295
    17
    18
    Sep 5, 2016
    CH
    Ratings:
    +30
    Local Time:
    12:23 PM
    1.17
    10.3
    Hello, if I insert this string of nginx chipers it goes into error.
     
  6. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    12:23 PM
    You are using the BoringSSL format.

    As OpenSSL won't support nested groups.
    Try : for example:

     
  7. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    9:23 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    did you apply the patch and using openssl 1.1.0g only ? no other openssl version will work with this patch in centmin mod
     
  8. upgrade81

    upgrade81 Member

    295
    17
    18
    Sep 5, 2016
    CH
    Ratings:
    +30
    Local Time:
    12:23 PM
    1.17
    10.3
    yes only 1.1.0g

    Code (Text):
    nginx -V
    nginx version: nginx/1.13.9
    built by gcc 7.2.1 20170829 (Red Hat 7.2.1-1) (GCC)
    built with OpenSSL 1.1.0g  2 Nov 2017
    TLS SNI support enabled
    


    with ssl test chacha now shows it among the ciphers.
    but shows it as the last one, not among the first ones as you show in your screen.
    grabilla.g16940.png
     
    Last edited: Feb 27, 2018
  9. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    12:23 PM
    Please note that this topic is intended for Equal-preference groups of cipher suites support in OpenSSL 1.1. through a patch.

    Because it seems that you are not running that specific patch but another patch.
    And OpenSSL 1.1. does not support chacha preferred chipers out of the box.

    Please use the topic for that specific patch.
    For example: OpenSSL - [NEW PATCH]Use ChaCha20+Poly1305 only if it is prioritized by the client - OpenSSL 1.1

    About showing the right order of chipers.
    Which chiper configuration are you using?
    Is it for example the test sample I gave you or that of centmin?
    The test configuration that I sent is only for testing, and may not contain the desired configuration.

    Please respond in the appropriate topic.
     
  10. upgrade81

    upgrade81 Member

    295
    17
    18
    Sep 5, 2016
    CH
    Ratings:
    +30
    Local Time:
    12:23 PM
    1.17
    10.3
    you're right in fact I had used the cloudflare patch, now I have enabled the equal chipers and everything works.
     
  11. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    12:23 PM
  12. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    9:23 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Thanks for sharing. Currently, Centmin Mod 123.09beta01 doesn't use this patch though.
     
  13. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    12:23 PM
  14. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    7:23 PM
    Mainline
    10.2
  15. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    12:23 PM
    Don't know if this is a good idea because OpenSSL now has its own prioritize mechanism. (since version 1.1.1).
     
  16. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    12:23 PM
    @rdan @eva2000
    OpenSSL now has its own prioritize mechanism.
    Patched the code a bit.
    As the Nginx team won't implement the OpenSSL chacha prioritize mechanism.

    It has my preference above 'Equal-preference groups of cipher suites' because less code changes are needed and the OpenSSL feature is better tested in OpenSSL as vanilla-software-feature.

    OpenSSL - [NEW PATCH]Prioritize ChaCha feature - OpenSSL 1.1.1
     
  17. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    9:23 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    sweet thanks for sharing :D :cool:(y)