The current version of OPENSSL-1.0.2J does not support Google's CHACHA20 encryption algorithm. The CHACHA20 encryption algorithm is relatively safe relative to RC4, and is optimized for ARM's mobile phone, making it faster and more power-saving.
However, the latest Intel processors and ARM V8 processors are optimized for AES-GCM encryption algorithms through the AES-NI instruction set, which is much faster than chacha20, so the Aes-ni encryption algorithm is preferred on devices that support AES-GCM instruction sets. Use the CHACHA20 encryption algorithm in cases where the device is not supported.
3 ways to support the CHACHA20 encryption algorithm:
Using Libressl (OpenBSD Fork)
Using Boringssl (Google Fork)
Using patches provided by CloudFlare
Comparison of three methods:
The LIBRESSL can support OCSP stapling, but if CHACHA20 is preferred as the first algorithm, the device supporting the CHACHA20 instruction set will not perform as long as the CHACHA20 algorithm is supported by the AES-NI algorithm .
Boringssl can prioritize the use of AES-GCM encryption algorithms for devices that support the aes-ni instruction set, but OCSP stapling is not currently supported
Patches provided with CloudFlare can be adapted automatically, Aes-ni devices use AES-GCM, unsupported devices use CHACHA20
Environment:
CentOS 6.8 x86_64
Openssl-1.0.2j
Nginx-1.10.2
Download the patch provided by CloudFlare
wget Https://codeload.github.com/cloudflare/sslconfig/zip/master
Download OpenSSL
wget https://www.openssl.org/source/openssl-1.0.2j.tar.gz
Download Nginx
wget http://nginx.org/download/nginx-1.10.2.tar.gz
Install dependent packages
Yum-y install gcc gcc-c++ pcre-devel zlib-devel Unzip patch
Unzip the file
Unzip Mastertar zxf Nginx-1.10.2.tar.gztar zxf openssl-1.0.2j.tar.gz
Patching the OpenSSL
CD Openssl-1.0.2jpatch-p1 <. /sslconfig-master/patches/openssl__chacha20_poly1305_draft_and_rfc_ossl102j.patch# here to explain the need to use the same version of the patch, I am here 1.0.2j with ossl102j PATCHCD.
Compiling Nginx
CD nginx-1.10.2./configure--prefix=/usr/local/nginx1.10.2--user=www--group=www--with-openssl=.. /OPENSSL-1.0.2J--with-http_stub_status_module--with-http_ssl_module--with-http_gzip_static_modulemake & & Make Install
make -f objs/makefilemake[1]: entering directory '/root/nginx-1.10.2 ' cd /openssl-1.0.2j && if [ -f makefile ]; then make clean; fi && ./config --prefix=/root/nginx-1.10.2/. /openssl-1.0.2j/.openssl no-shared && make && make install_sw libdir=libmake[2]: entering directory '/root/openssl-1.0.2j ' makefile is older Than makefile.org, configure or config. reconfigure the source tree (via './config ' or ' perl configure '), please.make[2]: *** [Makefile] Error 1make[2]: Leaving directory '/ Root/openssl-1.0.2j ' Make[1]: *** [. /openssl-1.0.2j/.openssl/include/openssl/ssl.h] error 2make[1]: leaving directory '
The above error message is because the cause of the patch, prompted makefile.org than makefile new, so stop the operation. This time we can manually compile OpenSSL
Cd.. /openssl-1.0.2j./config--prefix=/root/nginx-1.10.2/. /openssl-1.0.2j/.openssl No-sharedmakemake install_sw Libdir=lib
Do && make install again without an error
View results:
/usr/local/nginx1.10.2/sbin/nginx-vnginx version:nginx/1.10.2built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC) built With OpenSSL 1.0.2j Sep 2016TLS SNI support enabledconfigure arguments:--prefix=/usr/local/nginx1.10.2--user=www--g Roup=www--with-openssl=. /OPENSSL-1.0.2J--with-http_stub_status_module--with-http_ssl_module--with-http_gzip_static_module
What you can see is the OpenSSL 1.0.2j.
Then the Nginx configuration file is as follows:
server { listen 443; server_name m.abc.com; access_log logs/https_m.abc.com.log main; ssl on; ssl_certificate keys/server.pem; ssl_certificate_key keys/server.key; ssl_protocols tlsv1 tlsv1.1 tlsv1.2; ssl_prefer_server_ciphers on; #定义加密算法 ssl_ciphers eecdh+chacha20:eecdh+chacha20-draft:eecdh+aes128:rsa+ aes128:eecdh+aes256:rsa+aes256:eecdh+3des:rsa+3des:! Md5; ssl_session_timeout 5m; ssl_session_cache builtin :1000 shared:ssl:10m; location / { root html; index index.html; }
Mobile Access with Aes-ni instruction set is not supported using chacha20_poly1305 for encryption and authentication
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/8A/08/wKiom1gkMyrRLMw7AAHsaGPDzMg254.png "style=" float: none; "title=" 2.png "alt=" Wkiom1gkmyrrlmw7aahsagpdzmg254.png "/>
Mobile Access with AES-NI instruction set supports encryption and authentication using AES_128_GCM
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/8A/04/wKioL1gkMyvSCcc2AAGh-PYmN1c126.png "style=" float: none; "title=" 3.png "alt=" Wkiol1gkmyvsccc2aagh-pymn1c126.png "/>
This article is from "Maple Night" blog, please be sure to keep this source http://fengwan.blog.51cto.com/508652/1871529
Patch OpenSSL enables it to support chach20_poly1305 encryption algorithms