Join the community today
Become a Member

Beta Branch update inc/openssl_install.inc OpenSSL 1.1.1 optional patch

Discussion in 'Centmin Mod Github Commits' started by eva2000, Oct 20, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    10:24 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    update inc/openssl_install.inc OpenSSL 1.1.1 optional patch

    - experimental OpenSSL 1.1.1 patch to backport TLS 1.3 draft 23, 26, 27 and 28 support when persistent config file /etc/centminmod/custom_config.inc set to OPENSSL_TLSONETHREE_BACKPORTDRAFTS='y' prior to nginx recompiles via centmin.sh menu option 4

    Continue reading...

    123.09beta01 branch
     
  2. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    10:24 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    FYI, if you enable this patch ssllabs/testssl seems to reported failed client handshakes for Chrome 65/69 and Firefox 59/62 but real browsers seem fine. Same is happening with Cloudflare proxied sites Ssllabs.com show error on cloudflare hosted domain and www.cloudflare.com

    Seems it's because ssllabs/testssl only support TLS 1.3 rfc final.

    But it works
    Code (Text):
     Testing protocols via sockets except NPN+ALPN
    
     SSLv2      not offered (OK)
     SSLv3      not offered (OK)
     TLS 1      offered
     TLS 1.1    offered
     TLS 1.2    offered (OK)
     TLS 1.3    offered (OK): draft 28, draft 26, draft 23, final
     NPN/SPDY   not offered
     ALPN/HTTP2 h2, http/1.1 (offered)
    


    For discussion on OpenSSL 1.1.1 TLS 1.3 and Centmin Mod Nginx see OpenSSL - OpenSSL 1.1.1 Released with TLS 1.3 Support
     
  3. bassie

    bassie Well-Known Member

    1,017
    243
    63
    Apr 29, 2016
    Ratings:
    +722
    Local Time:
    1:24 PM
    Old TLS 1.3 drafts right now?
    As Chrome is supporting TLS 1.3 final.

    Same goes for Firefox in 3 days.

    Edge and Safari does not support TLS 1.3 and if, it will be the final TLS 1.3 at once.
     
  4. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    10:24 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Yeah backported drafts are experimental for testing and optional not enabled by default :)
     
  5. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    10:24 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    interesting backported TLS 1.3 drafts for OpenSSL 1.1.1 on Opera 56/Chrome 69 result in connection via TLS 1.3 chacha20 cipher when connecting to TLS 1.3 draft 28 :)

    opera56-centminmo-nginx-15.6-openssl-1.1.1-backported-tls13-drafts-01.png

    while Chrome 70 connected via TLS 1.3 rfc final for AES_128_GCM

    chrome70-centminmo-nginx-15.6-openssl-1.1.1-backported-tls13-drafts-01.png
     
    Last edited: Oct 23, 2018
  6. Itworx4me

    Itworx4me Premium Member Premium Member

    105
    12
    18
    Mar 14, 2017
    Ratings:
    +15
    Local Time:
    4:24 AM
    Nginx 1.15.X
    MariaDB 10.1.X
    How does a person know what version of TLS they are running?
     
  7. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    10:24 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    to test server side, you can use testssl testing script drwetter/testssl.sh

    which reports for above patch enabled OpenSSL 1.1.1 the following for TLS 1.3 draft 23, 26, 28 and rfc final
    Code (Text):
     Testing protocols via sockets except NPN+ALPN
    
     SSLv2      not offered (OK)
     SSLv3      not offered (OK)
     TLS 1      offered
     TLS 1.1    offered
     TLS 1.2    offered (OK)
     TLS 1.3    offered (OK): draft 28, draft 26, draft 23, final
     NPN/SPDY   not offered
     ALPN/HTTP2 h2, http/1.1 (offered)
    
     
  8. Itworx4me

    Itworx4me Premium Member Premium Member

    105
    12
    18
    Mar 14, 2017
    Ratings:
    +15
    Local Time:
    4:24 AM
    Nginx 1.15.X
    MariaDB 10.1.X
    So I run this code from the command line:
    git clone --depth 1 drwetter/testssl.sh

    Then I can use this command (testssl.sh) to get the output above?

    Thanks,
    Itworx4me
     
  9. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    10:24 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    i'd so something like
    Code (Text):
    mkdir -p /root/tools
    cd /root/tools
    git clone --depth 1 https://github.com/drwetter/testssl.sh.git testssl
    cd testssl
    ./testssl https://yourdomain.com
    
     
    • Like Like x 1
  10. Itworx4me

    Itworx4me Premium Member Premium Member

    105
    12
    18
    Mar 14, 2017
    Ratings:
    +15
    Local Time:
    4:24 AM
    Nginx 1.15.X
    MariaDB 10.1.X
    I had to change the last line to this in order for it to work.
    Code (Text):
    ./testssl.sh https://yourdomain.com


    Thanks you for your help
    Itworx4me
     
    • Informative Informative x 1
  11. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    10:24 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    ah yes testssl.sh :)
     
..