Permalink
Browse files

Nginx HTTP/2 & OpenSSL 1.1.0 patch updates

- Update inc/nginx_patch.inc for HTTP/2 full HPACK encoding optional support when using OpenSSL 1.0.2 branch not OpenSSL 1.1.x branch i.e. OPENSSL_VERSION='1.0.2l'. When Nginx 1.13.1 or newer + NGINX_PATCH='y' default + LIBRESSL_SWITCH='n' + NGINX_HPACK='y' set in persistent config file at /etc/centminmod/custom_config.inc (default is disabled), then optional HTTP/2 full HPACK encoding support for nginx is enabled as per RFC7541 specs when you run centmin.sh menu option 4 to compile Nginx. Full HTTP/2 HPACK encoding support is provided via Cloudflare patch which improves header compression ratio by 5-10% for the first response, and by 40-95% for consequential responses on the connection. Currently, not fully working with Nginx 1.13.1 so this is just prep work right now so keep NGINX_PATCH='n' set which is current default.
- Cloudflare Patch enabled full HTTP/2 HPACK encoding versus Nginx partial HTTP/2 HPACK encoding details at https://blog.cloudflare.com/hpack-the-silent-killer-feature-of-http-2/
- Update patches/openssl/chacha20-smarter.patch switch to cloudflare's openssl__1.1.0_chacha20_poly1305.patch patch
  • Loading branch information...
centminmod committed Jun 23, 2017
1 parent b7f151b commit 30882e762d9b4e4d23d835b3c58014fdd05a53d1
Showing with 37 additions and 21 deletions.
  1. +24 −0 inc/nginx_patch.inc
  2. +13 −21 patches/openssl/chacha20-smarter.patch
@@ -1,3 +1,26 @@
ngx_hpack_patch() {
if [ "$ngver" ]; then
DETECT_NGXVER=$(awk '/define nginx_version / {print $3}' "/svr-setup/nginx-$ngver/src/core/nginx.h")
NGINX_PUSHBASE=$ngver
echo "$DETECT_NGXVER"
else
DETECT_NGXVER=$(awk '/define nginx_version / {print $3}' "/svr-setup/nginx-${NGINX_VERSION}/src/core/nginx.h")
NGINX_PUSHBASE=$NGINX_VERSION
echo "$DETECT_NGXVER"
fi
if [[ "$NGINX_HPACK" = [yY] && "$LIBRESSL_SWITCH" = [nN] && "$DETECT_NGXVER" -ge '1013001' ]]; then
pushd "${DIR_TMP}/nginx-${NGINX_PUSHBASE}"
cecho "patching nginx http/2 full HPACK encoding support" $boldyellow
cecho "https://github.com/cloudflare/sslconfig/raw/hpack_1.13.1/patches/nginx_1.13.1_http2_hpack.patch" $boldyellow
wget https://github.com/cloudflare/sslconfig/raw/hpack_1.13.1/patches/nginx_1.13.1_http2_hpack.patch
cecho "patch -p1 < nginx_1.13.1_http2_hpack.patch" $boldyellow
patch -p1 < nginx_1.13.1_http2_hpack.patch
echo
echo "patching nginx http/2 full HPACK encoding for nginx 1.13.1+"
popd
fi
}
ngx_httppush_patch() {
if [ "$ngver" ]; then
DETECT_NGXVER=$(awk '/define nginx_version / {print $3}' "/svr-setup/nginx-$ngver/src/core/nginx.h")
@@ -294,6 +317,7 @@ patchnginx() {
rm -rf "${NGINXTLSPATCH_NAME}"
fi
fi
ngx_hpack_patch
} 2>&1 | tee "${CENTMINLOGDIR}/patch_patchnginx_${DT}.log"
}
@@ -1,23 +1,16 @@
From 4fb0dc4dfgtrh65876987ottj6768gdfsdklilod6a Mon Sep 17 00:00:00 2001
From: Bassie / Buik <allesisvoorbassiesdikkebuik@local>
Date: Fri, 25 Nov 2016 12:05:27 -0800
Subject: [PATCH] Use OpenSSL 1.1's ChaCha20+Poly1305 if it is the client's most preferred cipher suite.
Use OpenSSL 1.1.0c's ChaCha20+Poly1305 if it is the client's most preferred cipher suite. With improved cipher negotiation: a common ChaCha cipher will always be found,
even when the first priority is not ChaCha.
Ported from the following source: https://github.com/cloudflare/sslconfig
Index: ssl/s3_lib.c
===================================================================
--- a/ssl/s3_lib.c 2016-11-10 15:03:46.000000000 +0100
+++ b/ssl/s3_lib.c 2016-12-08 03:08:45.167225455 +0100
@@ -3582,6 +3582,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index e94ee83..3cd7e3a 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3582,6 +3582,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
STACK_OF(SSL_CIPHER) *prio, *allow;
int i, ii, ok;
unsigned long alg_k, alg_a, mask_k, mask_a;
+ int use_chacha = 0;
/* Let's see which ciphers we can support */
@@ -3610,13 +3611,20 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL
@@ -3610,13 +3611,20 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
fprintf(stderr, "%p:%s\n", (void *)c, c->name);
}
#endif
@@ -26,7 +19,7 @@ Index: ssl/s3_lib.c
if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || tls1_suiteb(s)) {
prio = srvr;
allow = clnt;
+ /* Use ChaCha20+Poly1305 iff it's client's most preferred cipher suite */
+ /* Use ChaCha20+Poly1305 if it's client's most preferred cipher suite */
+ if (sk_SSL_CIPHER_num(clnt) > 0) {
+ c = sk_SSL_CIPHER_value(clnt, 0);
+ if (c->algorithm_enc == SSL_CHACHA20POLY1305)
@@ -39,30 +32,29 @@ Index: ssl/s3_lib.c
}
tls1_set_cert_validity(s);
@@ -3634,6 +3642,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL
@@ -3634,6 +3642,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
DTLS_VERSION_GT(s->version, c->max_dtls)))
continue;
+ /* Skip ChaCha unless top client priority */
+ if ((c->algorithm_enc == SSL_CHACHA20POLY1305) && !use_chacha)
+ /* Skip ChaCha unless top client priority */
+ if (c->algorithm_enc == SSL_CHACHA20POLY1305 && !use_chacha)
+ continue;
+
mask_k = s->s3->tmp.mask_k;
mask_a = s->s3->tmp.mask_a;
#ifndef OPENSSL_NO_SRP
@@ -3687,6 +3699,15 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL
@@ -3687,6 +3699,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
break;
}
}
+
+ if (ret == NULL && !use_chacha) {
+ if (ret == NULL && !use_chacha) {
+ /* If no shared cipher was found due to some unusual preferences, try
+ * again with CHACHA enabled even if not top priority */
+ use_chacha = 1;
+ goto retry;
+ }
+
+
return (ret);
}

0 comments on commit 30882e7

Please sign in to comment.