Patch OpenSSL enables it to support chach20_poly1305 encryption algorithms

The current version of OPENSSL-1.0.2J does not support Google's CHACHA20 encryption algorithm. The CHACHA20 encryption algorithm is relatively safe relative to RC4, and is optimized for ARM's mobile phone, making it faster and more power-saving.

However, the latest Intel processors and ARM V8 processors are optimized for AES-GCM encryption algorithms through the AES-NI instruction set, which is much faster than chacha20, so the Aes-ni encryption algorithm is preferred on devices that support AES-GCM instruction sets. Use the CHACHA20 encryption algorithm in cases where the device is not supported.

3 ways to support the CHACHA20 encryption algorithm:

1. Using Libressl (OpenBSD Fork)

2. Using Boringssl (Google Fork)

3. Using patches provided by CloudFlare

Comparison of three methods:

1. The LIBRESSL can support OCSP stapling, but if CHACHA20 is preferred as the first algorithm, the device supporting the CHACHA20 instruction set will not perform as long as the CHACHA20 algorithm is supported by the AES-NI algorithm .

2. Boringssl can prioritize the use of AES-GCM encryption algorithms for devices that support the aes-ni instruction set, but OCSP stapling is not currently supported

3. Patches provided with CloudFlare can be adapted automatically, Aes-ni devices use AES-GCM, unsupported devices use CHACHA20

Environment:

CentOS 6.8 x86_64

Openssl-1.0.2j

Nginx-1.10.2

Download the patch provided by CloudFlare

wget Https://codeload.github.com/cloudflare/sslconfig/zip/master

Download OpenSSL

wget https://www.openssl.org/source/openssl-1.0.2j.tar.gz

Download Nginx

wget http://nginx.org/download/nginx-1.10.2.tar.gz

Install dependent packages

Yum-y install gcc gcc-c++ pcre-devel zlib-devel Unzip patch

Unzip the file

Unzip Mastertar zxf Nginx-1.10.2.tar.gztar zxf openssl-1.0.2j.tar.gz

Patching the OpenSSL

CD Openssl-1.0.2jpatch-p1 <. /sslconfig-master/patches/openssl__chacha20_poly1305_draft_and_rfc_ossl102j.patch# here to explain the need to use the same version of the patch, I am here 1.0.2j with ossl102j PATCHCD.

Compiling Nginx

CD nginx-1.10.2./configure--prefix=/usr/local/nginx1.10.2--user=www--group=www--with-openssl=.. /OPENSSL-1.0.2J--with-http_stub_status_module--with-http_ssl_module--with-http_gzip_static_modulemake & & Make Install

make -f objs/makefilemake[1]: entering directory  '/root/nginx-1.10.2 ' cd  /openssl-1.0.2j         && if [ -f  makefile ]; then make clean; fi          && ./config --prefix=/root/nginx-1.10.2/. /openssl-1.0.2j/.openssl no-shared          &&  make         && make install_sw  libdir=libmake[2]: entering directory  '/root/openssl-1.0.2j ' makefile is older  Than makefile.org, configure or config. reconfigure the source tree  (via  './config '  or  ' perl configure '),  please.make[2]: *** [Makefile] Error 1make[2]: Leaving directory  '/ Root/openssl-1.0.2j ' Make[1]: *** [. /openssl-1.0.2j/.openssl/include/openssl/ssl.h] error 2make[1]: leaving directory  '

The above error message is because the cause of the patch, prompted makefile.org than makefile new, so stop the operation. This time we can manually compile OpenSSL

Cd.. /openssl-1.0.2j./config--prefix=/root/nginx-1.10.2/. /openssl-1.0.2j/.openssl No-sharedmakemake install_sw Libdir=lib

Do && make install again without an error

View results:

/usr/local/nginx1.10.2/sbin/nginx-vnginx version:nginx/1.10.2built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC) built With OpenSSL 1.0.2j Sep 2016TLS SNI support enabledconfigure arguments:--prefix=/usr/local/nginx1.10.2--user=www--g Roup=www--with-openssl=. /OPENSSL-1.0.2J--with-http_stub_status_module--with-http_ssl_module--with-http_gzip_static_module

What you can see is the OpenSSL 1.0.2j.

Then the Nginx configuration file is as follows:

server {    listen       443;     server_name m.abc.com;    access_log  logs/https_m.abc.com.log   main;    ssl on;    ssl_certificate keys/server.pem;     ssl_certificate_key keys/server.key;    ssl_protocols  tlsv1 tlsv1.1 tlsv1.2;    ssl_prefer_server_ciphers on;      #定义加密算法     ssl_ciphers eecdh+chacha20:eecdh+chacha20-draft:eecdh+aes128:rsa+ aes128:eecdh+aes256:rsa+aes256:eecdh+3des:rsa+3des:! Md5;    ssl_session_timeout 5m;    ssl_session_cache builtin :1000 shared:ssl:10m;    location / {         root html;        index index.html;    } 

Mobile Access with Aes-ni instruction set is not supported using chacha20_poly1305 for encryption and authentication

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/8A/08/wKiom1gkMyrRLMw7AAHsaGPDzMg254.png "style=" float: none; "title=" 2.png "alt=" Wkiom1gkmyrrlmw7aahsagpdzmg254.png "/>

Mobile Access with AES-NI instruction set supports encryption and authentication using AES_128_GCM

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/8A/04/wKioL1gkMyvSCcc2AAGh-PYmN1c126.png "style=" float: none; "title=" 3.png "alt=" Wkiol1gkmyvsccc2aagh-pymn1c126.png "/>

This article is from "Maple Night" blog, please be sure to keep this source http://fengwan.blog.51cto.com/508652/1871529

Patch OpenSSL enables it to support chach20_poly1305 encryption algorithms