OpenSSL [PATCH] Use ChaCha20+Poly1305 if it's the client's most preferred cipher - OpenSSL 1.1

eva2000 · Dec 9, 2016

sweet thanks for the info

rdan · Apr 5, 2017

bassie said: ↑

Patch update: compatibility with OpenSSL 1.1.0c + improved ChaCha cipher negotiation.

With this improved cipher negotiation:
A common ChaCha cipher will always be found, even when the first priority is not ChaCha.
Click to expand...

Why isn't working with IE8?
https://community.centminmod.com/th...t-for-openssl-1-0-2j-in-123….9317/#post-47525

eva2000 · Apr 5, 2017

old browsers don't support Chacha20 which need TLS v1.2

rdan · Apr 5, 2017

No. Not chacha.
But the entire SSL config using the latest patch.
It didn't work with IE8
Or maybe it's something to do with the latest Openssl 1.1.0.
As it works fine with 1.0.x

eva2000 · Apr 5, 2017

which IE8 ? XP or Win7 ?

openssl 1.1 disables 3DES ciphers now https://www.openssl.org/news/cl110.txt

Changes between 1.0.2h and 1.1.0 [25 Aug 2016]

*) To mitigate the SWEET32 attack (CVE-2016-2183), 3DES cipher suites
have been disabled by default and removed from DEFAULT, just like RC4.
See the RC4 item below to re-enable both.
[Rich Salz]

...

*) RC4 based libssl ciphersuites are now classed as "weak" ciphers and are
disabled by default. They can be re-enabled using the
enable-weak-ssl-ciphers option to Configure.
[Matt Caswell]
Click to expand...

rdan · Jun 7, 2017

bassie said: ↑

From the Cloudflare github readme:

In fact you should use Cloudflare's cipher suite choice and (backported) patch
Click to expand...

Config has changed now: https://github.com/cloudflare/sslconfig/commit/d42811d5b67b7eac40016d5c6e170fe245886b84

Looks like they are using OpenSSL 1.1.0 now.

eva2000 · Jun 7, 2017

interesting, wonder if centmin mod should default to openssl 1.1.0 branch for LIBRESSL_SWITCH='n'

rdan · Jun 7, 2017

I have this config:
Code:
OPENSSL_VERSION='1.1.0f'
CLOUDFLARE_PATCHSSL='n'
NGINX_DYNAMICTLS='y'       
LIBRESSL_SWITCH='n'  
And using this cipher suite:
https://mozilla.github.io/server-si...&openssl=1.1.0f&hsts=yes&profile=intermediate

I still have TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 supported.
So I don't bother with CLoudflare chacha patch.

eva2000 · Jun 7, 2017

yeah that's one of main reasons for openssl 1.1.x native chacha20 support

buik · Jun 7, 2017

@eva2000 @RoldanLT Hmm seems that they are using Openssl 1.1 with chacha draft (old cacha) backported.
As seen in the results below:

https://www.ssllabs.com/ssltest/analyze.html?d=cloudflare.com&s=2400:cb00:2048:1:0:0:c629:d6a2&latest

Too bad they only commit the config to GitHub but not the patch.
Can someone with a GitHub account send a request to release this patch?

Maybe too many competitors uses their patches.
They have not released a thing themselves anymore since Jun 10, 2016.
(Apart from fixes and backports from internal and external non Cloudflare members)

buik · Jun 7, 2017

@eva2000 as you are using GitHub.
Willing to ask Cloudflare on GitHub about this ongoing sage?
Don't use GitHub myself, only Gitlab.
Thanks.

eva2000 · Jun 7, 2017

off to bed now, so will have to read up later

You should sign up for Github too

buik · Jun 7, 2017

eva2000 said: ↑

off to bed now, so will have to read up later

You should sign up for Github too
Click to expand...

Ok. Sleep well.
I won't sign-up for GitHub as i need to pay to start a repo.
Gitlab is free and works as it should be, so no reason to pay for GitHub.

Therefore my question to you, to ask Cloudflare for the old chaha draft patch.
Thank you in advance.

eva2000 · Jun 7, 2017

I haven't paid for github repos at all (well public)

and signing up just to comment and post issues is free

rdan · Jun 16, 2017

RoldanLT said: ↑

Config has changed now: https://github.com/cloudflare/sslconfig/commit/d42811d5b67b7eac40016d5c6e170fe245886b84

Looks like they are using OpenSSL 1.1.0 now.
Click to expand...

I think they are not using OpenSSL anymore and switch to Boring SSL.
Config is similar to this one: https://www.zeitgeist.se/2014/08/23/optimize-aes-and-chacha20-usage-with-boringssl/

and this commit: https://github.com/cloudflare/sslconfig/commit/30025979eb0fcbadf0f11672cb6b4ea726af0434

buik · Jun 16, 2017

RoldanLT said: ↑

I think they are not using OpenSSL anymore and switch to Boring SSL.
Config is similar to this one: https://www.zeitgeist.se/2014/08/23/optimize-aes-and-chacha20-usage-with-boringssl/

and this commit: https://github.com/cloudflare/sslconfig/commit/30025979eb0fcbadf0f11672cb6b4ea726af0434
Click to expand...

Don't think so.
But that's my personal opinion.
As Cloudflare is using OCSP and BoringSSL won't support OCSP.

Most likely they back-ported
equal preference group from BoringSSL to OpenSSL.
That's a lot less work than bringing OCSP to BoringSSL.

Equal preference group is a decent solution for the chacha hack they used before.

Maybe you could ask Cloudflare on GitHub to release the patch.
Can't do it by myself as i don't use GitHub.

eva2000 · Jun 16, 2017

hmm with all these changes going on without documentation by cloudflare's chacha20 patch, maybe time for centmin mod 123.09beta01 to default to openssl 1.1.x branch heh

rdan · Aug 24, 2017

RoldanLT said: ↑

I think they are not using OpenSSL anymore and switch to Boring SSL.
Config is similar to this one: Optimize AES and ChaCha20 usage with BoringSSL | Zeitgeist

and this commit: Don't mention OpenSSL · cloudflare/sslconfig@3002597 · GitHub
Click to expand...

I was correct: Support ChaCha20 Draft Ciphers in OpenSSL 1.1 · Issue #78 · cloudflare/sslconfig · GitHub

eva2000 · Aug 24, 2017

yeah they did switch to boringssl hence, why centmin mod 123.09beta01 now disables cloudflare patch by default

though it did patch for me a while back still with openssl for centmin mod nginx - haven't checked lately but should be fine as the patch is against nginx itself not openssl

edit: nginx 1.13.4 + openssl 1.0.2l with cloudflare patch enabled doesn't seem to work as discussed above no chacha20 ciphers

but centmin mod nginx 1.13.4 + openssl 1.1.0f + cloudflare patch shows chacha20 but that might be because openssl 1.1 has native chacha20 support
Code (Text):
######################################################################
Patching OpenSSL 1.1.0 branch
######################################################################
Cloudflare Smart ChaCha20 patch
https://community.centminmod.com/posts/35727/
only support ChaCha20 if client's preferred cipher
######################################################################
/usr/local/src/centminmod/patches/openssl/chacha20-smarter.patch
patching file ssl/s3_lib.c
patch unexpectedly ends in middle of line
######################################################################
OpenSSL 1.1.0 branch Smart Chacha20 patched
######################################################################
nginx -V
nginx version: nginx/1.13.4
built by gcc 6.2.1 20160916 (Red Hat 6.2.1-3) (GCC)
built with OpenSSL 1.1.0f 25 May 2017
TLS SNI support enabled
configure arguments: --with-ld-opt='-ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -Wno-error=strict-aliasing -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --add-dynamic-module=../ngx_pagespeed-1.12.34.2-stable --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.61 --add-module=../redis2-nginx-module-0.14 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.32 --with-pcre=../pcre-8.41 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-http_v2_module --with-http_v2_hpack_enc --with-openssl=../openssl-1.1.0f --with-openssl-opt='enable-ec_nistp_64_gcc_128'
Click to expand...

then wihtout cloudflare patch disabled + nginx 1.13.4 + openssl 1.1.0f

rdan · Jan 6, 2018

Seems this is not working anymore?
"CLOUDFLARE_PATCHSSL".

Log in / Register

Forums

Learn about Centmin Mod LEMP Stack today

OpenSSL [PATCH] Use ChaCha20+Poly1305 if it's the client's most preferred cipher - OpenSSL 1.1

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

rdan Well-Known Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

.

Log in / Register

Useful Searches

Learn about Centmin Mod LEMP Stack today

OpenSSL [PATCH] Use ChaCha20+Poly1305 if it's the client's most preferred cipher - OpenSSL 1.1

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

rdan Well-Known Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

.