Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Feature: Use SSL_OP_PRIORITIZE_CHACHA when supported ( openssl 1.1.1 ) #2

Closed
CarterLi opened this issue Apr 5, 2018 · 2 comments
Closed

Feature: Use SSL_OP_PRIORITIZE_CHACHA when supported ( openssl 1.1.1 ) #2

CarterLi opened this issue Apr 5, 2018 · 2 comments

Comments

@CarterLi
Copy link

CarterLi commented Apr 5, 2018
edited
Loading

https://github.com/openssl/openssl/blob/7731e619fba2f9ea1e888bf906289be37c52e6ac/include/openssl/ssl.h#L358

commit 403a3e2323be2109fdda00564953aabdd164bb79
Author: 李通洲 <carter.li@eoitek.com>
Date:   Thu Apr 5 15:50:51 2018 +0800

    SSL_OP_PRIORITIZE_CHACHA

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 88a6dbe..f79c394 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -330,6 +330,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
     }
 #endif
 
+#ifdef SSL_OP_PRIORITIZE_CHACHA
+    SSL_CTX_set_options(ssl->ctx, SSL_OP_PRIORITIZE_CHACHA);
+#endif
+
 #ifdef SSL_OP_NO_COMPRESSION
     SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
 #endif

Tested with nginx 1.13.11

$ ./testssl.sh -c test.eoitek.net

###########################################################
    testssl.sh       2.9dev from https://testssl.sh/dev/
    (6b8f6f8 2018-03-28 19:46:55 -- )

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
 on litongzhoudeMacBook-Pro:./bin/openssl.Darwin.x86_64
 (built: "Sep  7 19:34:54 2016", platform: "darwin64-x86_64-cc")


 Start 2018-04-05 16:19:57        -->> 127.0.0.1:443 (test.eoitek.net) <<--

 A record via            /etc/hosts
 rDNS (127.0.0.1):       --
 Service detected:       HTTP


 Running client simulations via sockets

 Android 2.3.7                No connection
 Android 4.1.1                TLSv1.0 ECDHE-ECDSA-AES128-SHA, 256 bit ECDH (P-256)
 Android 4.3                  TLSv1.0 ECDHE-ECDSA-AES128-SHA, 256 bit ECDH (P-256)
 Android 4.4.2                TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Android 5.0.0                TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Android 6.0                  TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Android 7.0                  TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
 Chrome 51 Win 7              TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519)
 Chrome 57 Win 7              TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519)
 Firefox 49 Win 7             TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Firefox 53 Win 7             TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519)
 IE 6 XP                      No connection
 IE 7 Vista                   TLSv1.0 ECDHE-ECDSA-AES128-SHA, 256 bit ECDH (P-256)
 IE 8 XP                      No connection
 IE 8 Win 7                   TLSv1.0 ECDHE-ECDSA-AES128-SHA, 256 bit ECDH (P-256)
 IE 11 Win 7                  TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 IE 11 Win 8.1                TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 IE 11 Win Phone 8.1 Update   TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 IE 11 Win 10                 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Edge 13 Win 10               TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Edge 13 Win Phone 10         TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Opera 17 Win 7               TLSv1.2 ECDHE-ECDSA-AES128-SHA256, 256 bit ECDH (P-256)
 Safari 5.1.9 OS X 10.6.8     TLSv1.0 ECDHE-ECDSA-AES128-SHA, 256 bit ECDH (P-256)
 Safari 7 iOS 7.1             TLSv1.2 ECDHE-ECDSA-AES128-SHA256, 256 bit ECDH (P-256)
 Safari 9 OS X 10.11          TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Safari 10 OS X 10.12         TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Apple ATS 9 iOS 9            TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Tor 17.0.9 Win 7             TLSv1.0 ECDHE-ECDSA-AES128-SHA, 256 bit ECDH (P-256)
 Java 6u45                    No connection
 Java 7u25                    TLSv1.0 ECDHE-ECDSA-AES128-SHA, 256 bit ECDH (P-256)
 Java 8u31                    TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 OpenSSL 1.0.1l               TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 OpenSSL 1.0.2e               TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)

 Done 2018-04-05 16:20:46 [0053s] -->> 127.0.0.1:443 (test.eoitek.net) <<--
@CarterLi CarterLi changed the title Feature: Use SSL_OP_PRIORITIZE_CHACHA when supported it ( openssl 1.1.1 ) Feature: Use SSL_OP_PRIORITIZE_CHACHA when supported ( openssl 1.1.1 ) Apr 5, 2018
@kn007
Copy link
Owner

kn007 commented Apr 5, 2018

I will test it later. Thank you.

Why not send a PR to nginx?

kn007 added a commit that referenced this issue Apr 5, 2018
@kn007
From #2
adc0e7b 
Let nginx using SSL_OP_PRIORITIZE_CHACHA when support
@kn007
Copy link
Owner

kn007 commented Apr 5, 2018

Very nice, merged.

Thanks a lot.

@kn007 kn007 closed this as completed Apr 5, 2018
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@CarterLi @kn007