search

cloudflare / sslconfig

Cloudflare's Internet facing SSL configuration
BSD 3-Clause "New" or "Revised" License
1.3k stars 132 forks source link

ChaCha20 patch failed test in OpenSSL 1.0.2j #50

Closed mys721tx closed 7 years ago

mys721tx commented 7 years ago

I use this PKGBUILD to build the patched openssl-1.0.2j on an Arch Linux box and run into the error below. The complete logs are in this gist.

...
Testing DHE-RSA-CHACHA20-POLY1305
Available compression methods:
  NONE
ERROR in CLIENT
140699663293144:error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers available:s23_clnt.c:508:
TLSv1.2, cipher (NONE) (NONE)
1 handshakes of 256 bytes done
Failed DHE-RSA-CHACHA20-POLY1305
make[1]: *** [Makefile:307: test_ssl] Error 1
make[1]: Leaving directory '/home/mys_721tx/openssl-chacha20/src/openssl-1.0.2j/test'
make: *** [Makefile:465: tests] Error 2
zxcvbn4038 commented 7 years ago

Confirmed, under this patch the ChaCha20 ciphers aren't being made available.

vkrasnov commented 7 years ago

Try now

zxcvbn4038 commented 7 years ago

No go for me, I'm not seeing the server offer any of the ChaCha20 ciphers, and yes they are on the list and I did restart the server after recompiling openssl + cloudflare patch.

mys721tx commented 7 years ago

2c72c7f works for me.

vkrasnov commented 7 years ago

@zxcvbn4038, did you try with commit 2c72c7fb235f66d01b7f0a1c3613f01935a4dd20? If not, please try again.

zxcvbn4038 commented 7 years ago

I'm pretty sure I did but I'm going to go through the steps again, I'll write back in a bit.

zxcvbn4038 commented 7 years ago

Ah ha! I did miss a step last night and can confirm that chacha20 is being offered. I'll proceed with my testing and open a new issue if I still have issues negotiating connections with browsers. Thanks @vkrasnov !

vkrasnov commented 7 years ago

Cool! You're welcome @zxcvbn4038.