Tutorial on using LIBRESSL in the Nginx server _nginx

This article will introduce some Nginx and Libressl to use practical experience together.
The version of the software used in this article

• Nginx 1.6.0
• Libressl 2.0.0

Installation

Directly from the source code compiled LIBRESSL, the build process output is very concise, the source code also comes with test cases and provide parallel build support (see appendix).

# Options for building and installing Libressl 
 
$./configure--prefix=/usr ldflags=-lrt && make check && sudo make install

The newly installed LIBRESSL can be used in the same way as the OpenSSL, but be aware that, as Sabotage-linux's Spencerjohn and Gentoo Hanno Böck, the open in the operating system is completely replaced with LIBRESSL SSL can be a hassle. [3,4]

LIBRESSL will report that its version is Libressl 2.0, and the OpenSSL command is using the same method as OpenSSL:

Copy Code code as follows:

$ which OpenSSL
/usr/bin/openssl

$ OpenSSL version
LIBRESSL 2.0

$ OpenSSL s_client-host www.openssl.org-port 443
CONNECTED (00000003)
depth=2 C = be, O = GlobalSign Nv-sa, OU = Root CA, CN = globalsign Root CA
Verify Error:num=19:self signed certificate in certificate chain
Verify return:0
---
Certificate chain
0 S:/c=gb/ou=domain Control validated/cn=*.openssl.org
I:/c=be/o=globalsign nv-sa/cn=globalsign Domain Validation ca-g2
1 s:/c=be/o=globalsign nv-sa/ou=root ca/cn=globalsign Root CA
I:/c=be/o=globalsign nv-sa/ou=root ca/cn=globalsign Root CA
2 s:/c=be/o=globalsign nv-sa/cn=globalsign Domain Validation ca-g2
I:/c=be/o=globalsign nv-sa/ou=root ca/cn=globalsign Root CA
---
Server Certificate
-----BEGIN Certificate-----
... skip
-----End Certificate-----
Subject=/c=gb/ou=domain Control validated/cn=*.openssl.org
Issuer=/c=be/o=globalsign nv-sa/cn=globalsign Domain Validation ca-g2
---
No client certificate CA names sent
---
SSL handshake has read 4136 bytes and written 707 bytes
---
New, Tlsv1/sslv3, Cipher is dhe-rsa-aes256-gcm-sha384
Server public key is 2048 bit
Secure renegotiation is supported
Compression:none
Expansion:none
Ssl-session:
protocol:tlsv1.2
cipher:dhe-rsa-aes256-gcm-sha384
TLS Session ticket Lifetime hint:300 (seconds)
TLS Session Ticket:

Confirmed that the LIBRESSL can be used, I will make nginx to use Libressl. Although in old systems that still use OpenSSL 0.9.x, I normally build nginx+openssl statically to make the latest and best version of TLS available. First attempt, only use./configure--with-openssl=/path/to/libressl is wrong, because Nginx has completely merged with OpenSSL's construction process:

• You can use the script named./config instead./configure (easy to solve)
• OpenSSL collects objects (. obj) files and other files under. openssl/lib to link into binaries and library files, and LIBRESSL to store them separately in Crypto/.libs and Ssl/.libs.

Try to replicate the files by manually building the directory hierarchy (. openssl/lib) and the error prompts that occur after the LIBRESSL is successfully built (see the error message below), and when compiling libressl, I see a similar one that can be used to work with LDFLAGS=-LRT Option to troubleshoot the problem, but you still cannot fix the problem when you try to compile nginx and link to a statically compiled Libressl library (but I continue):

Copy Code code as follows:

...

OBJS/ADDON/NGINX-UPSTREAM-FAIR/NGX_HTTP_UPSTREAM_FAIR_MODULE.O \
OBJS/ADDON/SRC/NGX_HTTP_HEADERS_MORE_FILTER_MODULE.O \
OBJS/ADDON/SRC/NGX_HTTP_HEADERS_MORE_HEADERS_OUT.O \
OBJS/ADDON/SRC/NGX_HTTP_HEADERS_MORE_HEADERS_IN.O \
OBJS/ADDON/SRC/NGX_HTTP_HEADERS_MORE_UTIL.O \
OBJS/ADDON/SRC/NGX_HTTP_ENCRYPTED_SESSION_MODULE.O \
OBJS/ADDON/SRC/NGX_HTTP_ENCRYPTED_SESSION_CIPHER.O \
OBJS/NGX_MODULES.O \
-wl,-e-lpthread-lcrypt-l/usr/lib-lm-llua5.1-lpcre/data/builds/froggstack/nginx_modules/openssl/.openssl/lib/ Libssl.a/data/builds/froggstack/nginx_modules/openssl/.openssl/lib/libcrypto.a-ldl-lz
/DATA/BUILDS/FROGGSTACK/NGINX_MODULES/OPENSSL/.OPENSSL/LIB/LIBCRYPTO.A (LIBCOMPAT_LA-GETENTROPY_LINUX.O): In function ' Getentropy_fallback ':
/data/builds/froggstack/nginx_modules/openssl/crypto/compat/getentropy_linux.c:324:undefined reference to ' Clock_ GetTime
/data/builds/froggstack/nginx_modules/openssl/crypto/compat/getentropy_linux.c:395:undefined reference to ' Clock_ GetTime
Collect2:error:ld returned 1 exit status
MAKE[1]: * * * [Objs/nginx] Error 1
MAKE[1]: Leaving directory '/data/builds/froggstack/src_nginx/nginx-1.6.0 '
Make: * * * [build] Error 2

The next attempt was to build nginx with the LIBRESSL in the context of a dynamic library linked to LIBRESSL (see appendix for the Complete nginx./configure option parameters). Run NGINX-LIBRESSL-T test successfully, and replace/usr/bin/nginx with a new binary executable and run/etc/init.d/nginx restart, updated Nginx + Libressl online. No configuration files and Nginx SSL configuration need to be modified, very good!

Test

Interested and want to test the friends can visit: www.mare-system.de, the website from 2014-07-12 began to run on the Libressl. If you find any incompatibility problems, please leave a message to me via atsecurity@mare-system.de.

Testing on a variety of Linux and Android browsers did not detect any problems, even using a console browser such as w3m on Debian 5, which has been forgotten in October 2007 and is outdated, shipped with OpenSSL 0.9.8g 19.

On the ssllabs.com, the score of the test is a +, the result is same as the previous configuration; After using the LIBRESSL, the only hint is the encryption algorithm chacha20-poly1305 is still in the experimental phase.

A small performance test showed no big problem; Libressl was 4% slower than average. The reason may be that OpenSSL is statically linked to Nginx, and Libressl is dynamically linked to nginx, resulting in more resource overhead.

Test results for pure numbers:

Copy Code code as follows:

| Parallel Requests | Openssl-rps | Libressl-rps
| 10 | 2341.75 | 2260.5
| 20 | 2459.75 | 2418.25
| 30 | 2472 | 2397
| 40 | 2485 | 2384.5
| 50 | 2445 | 2382.25
| 60 | 2453.25 | 2390.75
| 70 | 2426.25 | 2347.25
| 80 | 2346.5 | 2227.5
| 90 | 2325.5 | 2211
| 100 | 2297.75 | 2318.25

Some of the instructions for the performance test method may be found in the appendix.
Conclusions

This method is feasible.

Although it is not recommended to use LIBRESSL to replace OpenSSL at this stage, I just want to test its viability. The results proved to be feasible. From my test, there is no functional or performance problem, and as long as you find a way to build Nginx + Libressl is easy. In my opinion, the benefits of long-term use of LIBRESSL are:

• Clean code
• Fewer vulnerabilities
• More people involved

When I wrote this article, I received a message from the new LIBRESSL release, and the new version solved some of the new problems. So it's a little irrational to go back and use OpenSSL:

Well done, Libressl team, thanks again.