Enable CHACHA20-Draft Version in Openssl 1.1.0 and later

[Jemmy1228]

The Cloudflare patch can enable Both CHACHA20-RFC(0xcca8-0xccaa) ciphers and CHACH20-Draft(0xcc13-0xcc15) ciphers in Openssl 1.0.2f-j
I tried to make the Cloudflare patch compatible with Openssl-1.1.1-pre9 by myself, by adding the CHACHA-Draft back to it, but I met a lot of difficulties and caused many errors.
Can you please make such a patch that enable both the RFC and Draft CHACHA20 ciphers in Openssl 1.1.0
I think it would be very useful for everyone

[hakasenyang]

I think it's useful, but the draft version is obsolete.
As of 1.1.0, chacha20 supports the rfc version, not the draft version.

1.0.2 and 1.1.1 have a lot of differences, which makes it difficult to patch.

I will try, but I do not know if it is possible.

P.S. Google(google.com, etc.) has already removed OLD CHACHA from SSL Cipher.

Sorry my poor english.

[Jemmy1228]

Though draft version ciphers are obsolete, they are still secure.
As far as I know, Cloudflare is still using Draft version ciphers to perform handshake with Android 6 devices.
No matter is it possible or not, thank you very much. And I've learnt a lot from your patches.
p.s. I'm not a English speaker as well! :)

[hamjin]

Also, old device with old Android(like 5.0 and 6.0) can only use chacha20-draft

[hakasenyang]

I tried to support the CHACHA draft and the CHACHA draft handshake succeeded, but subsequent encryption and decryption failed.

It's too hard. :(

It is recommended to use AES because AES also guarantees sufficient safety... :-)

[hamjin]

You can see boringssl branch 2987 (git clone -b 2987 https://github.com/google/boringssl )and clousflare's patch(https://github.com/cloudflare/sslconfig/ )

[hamjin]

But you need to know that cloudflare's patc use AVX/AVX2 and SSE4 that could not work on some server(like Raspberry Pi, old Intel/AMD Proccers and ALL OF ARM DEVICES)
EDIT:Now I tested the pure C code in the patch and it is ok for all devices with a super fast speed

[hakasenyang]

I have searched for related materials, but for me, assembly is too difficult.

I am currently consulting documentation on encryption and decryption after handshaking.

[hamjin]

Thank you!

[hamjin]

Encryption and decryption after handshaking is more difficult than handshake... You can read the code in BoringSSL branch 2987, it's a good example that it has both RFC version and Draft version.

[Jemmy1228]

The documentation of Chacha-Draft is here
https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-04

And the documentation of ChaCha-RFC version is here
https://tools.ietf.org/html/rfc7905

There isn't much difference between these two I think...
I've found a page that tells the differences here
https://blog.cloudflare.com/it-takes-two-to-chacha-poly/

I tried to rewrite the code with these documentations, but I can't even compile it successfully!

[hamjin]

The draft version is for old servers which have no SSE codes and AVX codes, that makes the code running almost all the devices

[ymshenyu]

maybe chrome or firefox on android 6 could use rfc chacha20 , and chrome support tls 1.3 draft28 now. @hakasenyang is that mean we dont need draft 23 anymore?

[hamjin]

@ymshenyu No, we need to make Internet safer and TLS1.3 draft23 26 28 is enough safe, so we needn't delete draft 23 support

[ymshenyu]

@railjty ok , actually draft 23 and 28 are draft standard so they are both safe i think , and android chrome still using draft 23 . android chrome did not release version 68 yet

[hakasenyang]

I tried to try it all the time, but it is very difficult.
I'm sorry. I think it is probably hard to solve.

[Jemmy1228]

That's all right...you needn't say sorry at all. It is really a difficult thing. I'm sorry that this issue maybe cost you a lot of time :( . Thank you anyway!

[ymshenyu]

tls 1.3 standard version came out https://www.rfc-editor.org/rfc/rfc8446.txt

[ymshenyu]

openssl 1.1.1 pre9 dev update code https://github.com/openssl/openssl/commit/35e742ecac9239539db016e1282b4cbdf501509c

[hakasenyang]

@ymshenyu Yes. I already responded to the patch.

https://github.com/hakasenyang/openssl-patch/blob/master/openssl-equal-pre9_ciphers.patch

[Jemmy1228]

@hakasenyang I faced a problem with your new patch, but I don't want to start a new issue...
I upgraded my openssl and used your patch again, however this time my server cannot even establish tls1.3 handshake?
openssl s_client -connect localhost:443 -servername breakwall.ml -tls1_3
this is the command I used to try tls1.3 handshake, however openssl responded

CONNECTED(00000005)
140621557682624:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1528:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 249 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

And nginx logged
2018/08/18 09:28:37 [crit] 22523#22523: *3 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking,

I tried the newest version and the exact version of openssl you said which is compatible (https://github.com/openssl/openssl/tree/2805ee1e095a78f596dc7adf778441e2edb9f15c)
Neither with or without "_ciphers" patch support any version of tls1.3

I wonder why...
(If you want to connect to my server, you have to use SNI...)

And if I don't use any patch, s_client still cannnot establish tls1.3 handshake
I have no idea that can original nginx and original openssl support tls1.3 if I don't use any patch?

[hakasenyang]

Hello, @JemmyLoveJenny

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 TLS 1.3    not offered
 NPN/SPDY   h2, spdy/3.1, http/1.1 (advertised)
 ALPN/HTTP2 h2, spdy/3.1, http/1.1 (offered)

Your server has not been enabled for TLS 1.3.
Please check your nginx settings and the openssl version again.

Use nginx -V

Example)

# nginx -V
nginx version: nginx/1.15.3
built by gcc 8.1.0 (GCC)
built with OpenSSL 1.1.1-pre9-dev  xx XXX xxxx
TLS SNI support enabled

[ymshenyu]

BoringSSL with Nginx trunk can use 0-rtt now . but i dont like BoringSSL because it didnt support ocsp stapling by default . and i dont want to use it patch to turn it on .

[Jemmy1228]

@hakasenyang I'm sure that I enabled TLS1.3

        # SSL Settings
        ##
        #
        #Protocols
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        #
        #Key Exchange
        ssl_ecdh_curve X25519:P-256:P-384:P-224:P-521;
        ssl_dhparam /var/SSL/DH-param.pem;
        #
        #Cipher Suites
        ssl_ciphers "[TLS_AES_128_GCM_SHA256|TLS_CHACHA20_POLY1305_SHA256]:[TLS_AES_256_GCM_SHA384|TLS_AES_128_CCM_8_SHA256|TLS_AES_128_CCM_SHA256]:[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|DHE-RSA-CHACHA20-POLY1305]:[ECDHE-ECDSA-AES256-GCM-SHA384|ECDHE-RSA-AES256-GCM-SHA384]:[ECDHE-ECDSA-AES128-SHA|ECDHE-RSA-AES128-SHA]:[ECDHE-ECDSA-AES256-SHA|ECDHE-RSA-AES256-SHA]:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA";
        ssl_prefer_server_ciphers on;
        #

and my nginx

nginx version: nginx/1.15.0
built by gcc 7.3.0 (Ubuntu 7.3.0-16ubuntu3)
built with OpenSSL 1.1.1-pre9-dev  xx XXX xxxx
TLS SNI support enabled

and I set some options of openssl when compiling nginx

--with-openssl=../openssl \
--with-openssl-opt='enable-weak-ssl-ciphers no-comp enable-egd threads' \

[ymshenyu]

@JemmyLoveJenny maybe nginx version ? my server still use pre8 . i am not sure

[Jemmy1228]

@ymshenyu my configuration works well when I was using openssl-pre9 with tls1.3 28

[ymshenyu]

@JemmyLoveJenny well , reconfigure openssl without patch ?

[Jemmy1228]

@ymshenyu I tried reconfigure without patch, but still can't establish tls1.3 handshake. But I don't think original openssl with nginx support tls 1.3

[hakasenyang]

@JemmyLoveJenny Could you test the openssl build with this version?
https://git.hakase.app/Hakase/openssl-custom

[Jemmy1228]

@hakasenyang Wait a minute, I will try...

[hakasenyang]

@JemmyLoveJenny View stackoverflow.

1. One indirect function call is more expensive than one if condition.

2. Several if conditions are more expensive than an indirect function call.

3. Worrying about speed at this point is pointless:
   You are waiting on the latency of the user, and you are handling stuff he can look at (i. e. there won't be huge amounts of checkboxes). Optimizing code that is executed less than a million times per second on a detailed level like this is absolutely pointless.

Speed is very important, but not very serious... maybe.... 🤔

[Jemmy1228]

@hakasenyang Now I see... ThankU :D

[ymshenyu]

@JemmyLoveJenny 如果你是个优化狂魔 把你所有的软件都用上jemalloc

[kn007]

@ymshenyu 并不是任意软件都可以用jemalloc。

[ymshenyu]

虽然只是个内存管理 我

[ymshenyu]

我只编译在了nginx和mariadb

[ymshenyu]

@kn007 我见过国内dcc这个博主把jemalloc用在了openssl上 XD

[kn007]

这个是可以啊，我也是啊。。why not？
但像php 5这种是不行的，会segfault，7我没试过了，暂时不确认。
所以并不是说任意都可以

[ymshenyu]

@kn007 这样的加密库也要丢个内存管理 你们博主真的是优化狂魔

[hakasenyang]

Cloudflare:

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
SSLv3
TLS 1
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
 x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS 1.1
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
TLS 1.2
 xcc14   ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH 256   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD
 xcc13   ECDHE-RSA-CHACHA20-POLY1305-OLD   ECDH 256   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 256   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 xc024   ECDHE-ECDSA-AES256-SHA384         ECDH 256   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 256   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
 xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH 253   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
 x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384
 x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 256   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 xc023   ECDHE-ECDSA-AES128-SHA256         ECDH 256   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 xc009   ECDHE-ECDSA-AES128-SHA            ECDH 256   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256
 x3c     AES128-SHA256                     RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA256
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
TLS 1.3
 x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384
 x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256
 x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256

My Server:

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
SSLv3
TLS 1
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 256   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 xc009   ECDHE-ECDSA-AES128-SHA            ECDH 256   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
 x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS 1.1
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 256   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 xc009   ECDHE-ECDSA-AES128-SHA            ECDH 256   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS 1.2
 xcc14   ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH 256   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD
 xcc13   ECDHE-RSA-CHACHA20-POLY1305-OLD   ECDH 256   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 256   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 256   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
 xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH 253   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 256   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 xc009   ECDHE-ECDSA-AES128-SHA            ECDH 256   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS 1.3
 x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384
 x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256
 x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256

😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄 😄

[Jemmy1228]

@hakasenyang Great 👍

[kn007]

@hakasenyang openssl-1.1.1-chacha_draft.patch , test pass!

@JemmyLoveJenny 看来我们可以close这个issue了。

[Jemmy1228]

And what is this tool?

[hakasenyang]

You can download this site.

It is a tool called testssl.sh.

Example) https://ssl.hakase.io/ssltest/hakase.io.html

I used the -E argument.

[ymshenyu]

testssl.sh i guess

[Jemmy1228]

@hakasenyang Thankyou
@ymshenyu You guessed right! 😂

[ymshenyu]

@kn007 你可以更新的10月4号的博客文章了

[Jemmy1228]

@hakasenyang And finally, we can close the issue now 👍

[hakasenyang]

👍

There were so many comments. 😄

[Jemmy1228]

Ahhhh :D

[kn007]

@hakasenyang Sorry about that...

[hakasenyang]

@kn007 I'm fine. I welcome any comments. 😃

[Jemmy1228]

@hakasenyang Do you have any idea about how to make this patch compatiable with newer versions of OpenSSL?
The number 1195 needs to be changed if OpenSSL dev team make commits to files in object/obj_*

[Jemmy1228]

You can find the number 1195 in the patch.
Not only 1195, many numbers must be changed xD

[hakasenyang]

Unfortunately, I do not know how to do it. 😭
If the patch fails, a .rej file is generated. You should refer to the .rej file and modify it again.

[EverybodyGetsHurt]

@hakasenyang @Jemmy1228

I've updated @Jemmy1228's patch to work with OpenSSL-1.1.1u and modified the code to also pass the make test command.

https://github.com/EverybodyGetsHurt/OpenSSL-1.1.1u_chacha20-poly1305_draft/blob/main/OpenSSL-1.1.1u_chacha20-poly1305_draft.patch

[EverybodyGetsHurt]

Here is the OpenSSL-3.2.0-dev (latest as of now):
https://github.com/EverybodyGetsHurt/OpenSSL-3.2.0-dev-OpenSSL-1.1.1u-chacha20-poly1305_draft/blob/master/OpenSSL-3.2.0-dev_chacha20-poly1305_draft.patch