Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable CHACHA20-Draft Version in Openssl 1.1.0 and later #1

Closed
JemmyLoveJenny opened this Issue Jul 11, 2018 · 328 comments

Comments

Projects
None yet
7 participants
@JemmyLoveJenny
Copy link

JemmyLoveJenny commented Jul 11, 2018

The Cloudflare patch can enable Both CHACHA20-RFC(0xcca8-0xccaa) ciphers and CHACH20-Draft(0xcc13-0xcc15) ciphers in Openssl 1.0.2f-j
I tried to make the Cloudflare patch compatible with Openssl-1.1.1-pre9 by myself, by adding the CHACHA-Draft back to it, but I met a lot of difficulties and caused many errors.
Can you please make such a patch that enable both the RFC and Draft CHACHA20 ciphers in Openssl 1.1.0
I think it would be very useful for everyone

@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Jul 11, 2018

I think it's useful, but the draft version is obsolete.
As of 1.1.0, chacha20 supports the rfc version, not the draft version.

1.0.2 and 1.1.1 have a lot of differences, which makes it difficult to patch.

I will try, but I do not know if it is possible.

P.S. Google(google.com, etc.) has already removed OLD CHACHA from SSL Cipher.

Sorry my poor english.

@JemmyLoveJenny

This comment has been minimized.

Copy link
Author

JemmyLoveJenny commented Jul 11, 2018

Though draft version ciphers are obsolete, they are still secure.
As far as I know, Cloudflare is still using Draft version ciphers to perform handshake with Android 6 devices.
No matter is it possible or not, thank you very much. And I've learnt a lot from your patches.
p.s. I'm not a English speaker as well! :)

@railjty

This comment has been minimized.

Copy link

railjty commented Jul 15, 2018

Also, old device with old Android(like 5.0 and 6.0) can only use chacha20-draft

@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Jul 16, 2018

I tried to support the CHACHA draft and the CHACHA draft handshake succeeded, but subsequent encryption and decryption failed.

It's too hard. :(

image

It is recommended to use AES because AES also guarantees sufficient safety... :-)

@railjty

This comment has been minimized.

Copy link

railjty commented Jul 17, 2018

You can see boringssl branch 2987 (git clone -b 2987 https://github.com/google/boringssl )and clousflare's patch(https://github.com/cloudflare/sslconfig/ )

@railjty

This comment has been minimized.

Copy link

railjty commented Jul 17, 2018

But you need to know that cloudflare's patc use AVX/AVX2 and SSE4 that could not work on some server(like Raspberry Pi, old Intel/AMD Proccers and ALL OF ARM DEVICES)
EDIT:Now I tested the pure C code in the patch and it is ok for all devices with a super fast speed

@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Jul 17, 2018

I have searched for related materials, but for me, assembly is too difficult.

I am currently consulting documentation on encryption and decryption after handshaking.

@railjty

This comment has been minimized.

Copy link

railjty commented Jul 17, 2018

Thank you!

@railjty

This comment has been minimized.

Copy link

railjty commented Jul 18, 2018

Encryption and decryption after handshaking is more difficult than handshake... You can read the code in BoringSSL branch 2987, it's a good example that it has both RFC version and Draft version.

@JemmyLoveJenny

This comment has been minimized.

Copy link
Author

JemmyLoveJenny commented Jul 21, 2018

The documentation of Chacha-Draft is here
https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-04

And the documentation of ChaCha-RFC version is here
https://tools.ietf.org/html/rfc7905

There isn't much difference between these two I think...
I've found a page that tells the differences here
https://blog.cloudflare.com/it-takes-two-to-chacha-poly/

I tried to rewrite the code with these documentations, but I can't even compile it successfully!

@railjty

This comment has been minimized.

Copy link

railjty commented Jul 22, 2018

The draft version is for old servers which have no SSE codes and AVX codes, that makes the code running almost all the devices

@ymshenyu

This comment has been minimized.

Copy link

ymshenyu commented Jul 26, 2018

maybe chrome or firefox on android 6 could use rfc chacha20 , and chrome support tls 1.3 draft28 now. @hakasenyang is that mean we dont need draft 23 anymore?

@railjty

This comment has been minimized.

Copy link

railjty commented Jul 26, 2018

@ymshenyu No, we need to make Internet safer and TLS1.3 draft23 26 28 is enough safe, so we needn't delete draft 23 support

@ymshenyu

This comment has been minimized.

Copy link

ymshenyu commented Jul 26, 2018

@railjty ok , actually draft 23 and 28 are draft standard so they are both safe i think , and android chrome still using draft 23 . android chrome did not release version 68 yet

@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Aug 16, 2018

I tried to try it all the time, but it is very difficult.
I'm sorry. I think it is probably hard to solve.

@JemmyLoveJenny

This comment has been minimized.

Copy link
Author

JemmyLoveJenny commented Aug 16, 2018

That's all right...you needn't say sorry at all. It is really a difficult thing. I'm sorry that this issue maybe cost you a lot of time :( . Thank you anyway!

@ymshenyu

This comment has been minimized.

Copy link

ymshenyu commented Aug 17, 2018

tls 1.3 standard version came out https://www.rfc-editor.org/rfc/rfc8446.txt

@ymshenyu

This comment has been minimized.

Copy link

ymshenyu commented Aug 17, 2018

@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Aug 17, 2018

@JemmyLoveJenny

This comment has been minimized.

Copy link
Author

JemmyLoveJenny commented Aug 18, 2018

@hakasenyang I faced a problem with your new patch, but I don't want to start a new issue...
I upgraded my openssl and used your patch again, however this time my server cannot even establish tls1.3 handshake?
openssl s_client -connect localhost:443 -servername breakwall.ml -tls1_3
this is the command I used to try tls1.3 handshake, however openssl responded

CONNECTED(00000005)
140621557682624:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1528:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 249 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

And nginx logged
2018/08/18 09:28:37 [crit] 22523#22523: *3 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking,

I tried the newest version and the exact version of openssl you said which is compatible (https://github.com/openssl/openssl/tree/2805ee1e095a78f596dc7adf778441e2edb9f15c)
Neither with or without "_ciphers" patch support any version of tls1.3

I wonder why...
(If you want to connect to my server, you have to use SNI...)

And if I don't use any patch, s_client still cannnot establish tls1.3 handshake
I have no idea that can original nginx and original openssl support tls1.3 if I don't use any patch?

@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Aug 18, 2018

Hello, @JemmyLoveJenny

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 TLS 1.3    not offered
 NPN/SPDY   h2, spdy/3.1, http/1.1 (advertised)
 ALPN/HTTP2 h2, spdy/3.1, http/1.1 (offered)

Your server has not been enabled for TLS 1.3.
Please check your nginx settings and the openssl version again.

Use nginx -V

Example)

# nginx -V
nginx version: nginx/1.15.3
built by gcc 8.1.0 (GCC)
built with OpenSSL 1.1.1-pre9-dev  xx XXX xxxx
TLS SNI support enabled
@ymshenyu

This comment has been minimized.

Copy link

ymshenyu commented Aug 18, 2018

BoringSSL with Nginx trunk can use 0-rtt now . but i dont like BoringSSL because it didnt support ocsp stapling by default . and i dont want to use it patch to turn it on .

@JemmyLoveJenny

This comment has been minimized.

Copy link
Author

JemmyLoveJenny commented Aug 18, 2018

@hakasenyang I'm sure that I enabled TLS1.3

        # SSL Settings
        ##
        #
        #Protocols
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        #
        #Key Exchange
        ssl_ecdh_curve X25519:P-256:P-384:P-224:P-521;
        ssl_dhparam /var/SSL/DH-param.pem;
        #
        #Cipher Suites
        ssl_ciphers "[TLS_AES_128_GCM_SHA256|TLS_CHACHA20_POLY1305_SHA256]:[TLS_AES_256_GCM_SHA384|TLS_AES_128_CCM_8_SHA256|TLS_AES_128_CCM_SHA256]:[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|DHE-RSA-CHACHA20-POLY1305]:[ECDHE-ECDSA-AES256-GCM-SHA384|ECDHE-RSA-AES256-GCM-SHA384]:[ECDHE-ECDSA-AES128-SHA|ECDHE-RSA-AES128-SHA]:[ECDHE-ECDSA-AES256-SHA|ECDHE-RSA-AES256-SHA]:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA";
        ssl_prefer_server_ciphers on;
        #

and my nginx

nginx version: nginx/1.15.0
built by gcc 7.3.0 (Ubuntu 7.3.0-16ubuntu3)
built with OpenSSL 1.1.1-pre9-dev  xx XXX xxxx
TLS SNI support enabled

and I set some options of openssl when compiling nginx

--with-openssl=../openssl \
--with-openssl-opt='enable-weak-ssl-ciphers no-comp enable-egd threads' \
@ymshenyu

This comment has been minimized.

Copy link

ymshenyu commented Aug 18, 2018

@JemmyLoveJenny maybe nginx version ? my server still use pre8 . i am not sure

@JemmyLoveJenny

This comment has been minimized.

Copy link
Author

JemmyLoveJenny commented Aug 18, 2018

@ymshenyu my configuration works well when I was using openssl-pre9 with tls1.3 28

@ymshenyu

This comment has been minimized.

Copy link

ymshenyu commented Aug 18, 2018

@JemmyLoveJenny well , reconfigure openssl without patch ?

@JemmyLoveJenny

This comment has been minimized.

Copy link
Author

JemmyLoveJenny commented Aug 18, 2018

@ymshenyu I tried reconfigure without patch, but still can't establish tls1.3 handshake. But I don't think original openssl with nginx support tls 1.3

@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Aug 18, 2018

@JemmyLoveJenny Could you test the openssl build with this version?
https://git.hakase.app/Hakase/openssl-custom

@JemmyLoveJenny

This comment has been minimized.

Copy link
Author

JemmyLoveJenny commented Aug 18, 2018

@hakasenyang Wait a minute, I will try...

@JemmyLoveJenny

This comment has been minimized.

Copy link
Author

JemmyLoveJenny commented Oct 6, 2018

@hakasenyang I am concerned about the efficiency of the code.
I don't know whether "if" judgement execution(your e_chacha20_poly1305.c) or multiple sequential execution(mine) is the quicker one.
I'm sure that mine uses more memory than yours, but how about the speed?

@JemmyLoveJenny

This comment has been minimized.

Copy link
Author

JemmyLoveJenny commented Oct 6, 2018

@NewBugger Telegram…翻出去越来越难了

@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Oct 6, 2018

@JemmyLoveJenny View stackoverflow.

  1. One indirect function call is more expensive than one if condition.

  2. Several if conditions are more expensive than an indirect function call.

  3. Worrying about speed at this point is pointless:
    You are waiting on the latency of the user, and you are handling stuff he can look at (i. e. there won't be huge amounts of checkboxes). Optimizing code that is executed less than a million times per second on a detailed level like this is absolutely pointless.

Speed is very important, but not very serious... maybe.... 🤔

@JemmyLoveJenny

This comment has been minimized.

Copy link
Author

JemmyLoveJenny commented Oct 6, 2018

@hakasenyang Now I see... ThankU :D

@ymshenyu

This comment has been minimized.

Copy link

ymshenyu commented Oct 6, 2018

@JemmyLoveJenny 如果你是个优化狂魔 把你所有的软件都用上jemalloc

@kn007

This comment has been minimized.

Copy link

kn007 commented Oct 6, 2018

@ymshenyu 并不是任意软件都可以用jemalloc。

@ymshenyu

This comment has been minimized.

Copy link

ymshenyu commented Oct 6, 2018

虽然只是个内存管理 我

@ymshenyu

This comment has been minimized.

Copy link

ymshenyu commented Oct 6, 2018

我只编译在了nginx和mariadb

@ymshenyu

This comment has been minimized.

Copy link

ymshenyu commented Oct 6, 2018

@kn007 我见过国内dcc这个博主把jemalloc用在了openssl上 XD

hakasenyang added a commit that referenced this issue Oct 6, 2018

@kn007

This comment has been minimized.

Copy link

kn007 commented Oct 6, 2018

这个是可以啊,我也是啊。。why not?
但像php 5这种是不行的,会segfault,7我没试过了,暂时不确认。
所以并不是说任意都可以

@ymshenyu

This comment has been minimized.

Copy link

ymshenyu commented Oct 6, 2018

@kn007 这样的加密库也要丢个内存管理 你们博主真的是优化狂魔

@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Oct 6, 2018

Cloudflare:

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
SSLv3
TLS 1
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
 x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS 1.1
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
TLS 1.2
 xcc14   ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH 256   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD
 xcc13   ECDHE-RSA-CHACHA20-POLY1305-OLD   ECDH 256   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 256   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 xc024   ECDHE-ECDSA-AES256-SHA384         ECDH 256   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 256   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
 xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH 253   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
 x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384
 x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 256   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 xc023   ECDHE-ECDSA-AES128-SHA256         ECDH 256   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 xc009   ECDHE-ECDSA-AES128-SHA            ECDH 256   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256
 x3c     AES128-SHA256                     RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA256
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
TLS 1.3
 x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384
 x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256
 x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256

My Server:

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
SSLv3
TLS 1
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 256   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 xc009   ECDHE-ECDSA-AES128-SHA            ECDH 256   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
 x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS 1.1
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 256   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 xc009   ECDHE-ECDSA-AES128-SHA            ECDH 256   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS 1.2
 xcc14   ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH 256   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD
 xcc13   ECDHE-RSA-CHACHA20-POLY1305-OLD   ECDH 256   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 256   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 256   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
 xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH 253   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 256   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 xc009   ECDHE-ECDSA-AES128-SHA            ECDH 256   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS 1.3
 x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384
 x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256
 x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256

😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄

@JemmyLoveJenny

This comment has been minimized.

Copy link
Author

JemmyLoveJenny commented Oct 6, 2018

@hakasenyang Great 👍

@kn007

This comment has been minimized.

Copy link

kn007 commented Oct 6, 2018

@hakasenyang openssl-1.1.1-chacha_draft.patch , test pass!

@JemmyLoveJenny 看来我们可以close这个issue了。

@JemmyLoveJenny

This comment has been minimized.

Copy link
Author

JemmyLoveJenny commented Oct 6, 2018

And what is this tool?

@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Oct 6, 2018

You can download this site.

It is a tool called testssl.sh.

Example) https://ssl.hakase.io/ssltest/hakase.io.html

I used the -E argument.

@ymshenyu

This comment has been minimized.

Copy link

ymshenyu commented Oct 6, 2018

testssl.sh i guess

@JemmyLoveJenny

This comment has been minimized.

Copy link
Author

JemmyLoveJenny commented Oct 6, 2018

@hakasenyang Thankyou
@ymshenyu You guessed right! 😂

@ymshenyu

This comment has been minimized.

Copy link

ymshenyu commented Oct 6, 2018

@kn007 你可以更新的10月4号的博客文章了

@JemmyLoveJenny

This comment has been minimized.

Copy link
Author

JemmyLoveJenny commented Oct 6, 2018

@hakasenyang And finally, we can close the issue now 👍

@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Oct 6, 2018

👍

There were so many comments. 😄

@JemmyLoveJenny

This comment has been minimized.

Copy link
Author

JemmyLoveJenny commented Oct 6, 2018

Ahhhh :D

@kn007

This comment has been minimized.

Copy link

kn007 commented Oct 6, 2018

@hakasenyang Sorry about that...

@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Oct 6, 2018

@kn007 I'm fine. I welcome any comments. 😃

@JemmyLoveJenny

This comment has been minimized.

Copy link
Author

JemmyLoveJenny commented Oct 6, 2018

@hakasenyang Do you have any idea about how to make this patch compatiable with newer versions of OpenSSL?
The number 1195 needs to be changed if OpenSSL dev team make commits to files in object/obj_*

@JemmyLoveJenny

This comment has been minimized.

Copy link
Author

JemmyLoveJenny commented Oct 6, 2018

You can find the number 1195 in the patch.
Not only 1195, many numbers must be changed xD

@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Oct 6, 2018

Unfortunately, I do not know how to do it. 😭
If the patch fails, a .rej file is generated. You should refer to the .rej file and modify it again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.