According to openssl.org, OpenSSL 1.1.0 branch no longer receives any update from Sept 11, 2019, the user should upgrade to 1.1.1 branch.
This patch will be archived from now on.
Make the CHACHA20-POLY1305 ciphersuites the first option on those devices without AES instruction-sets.
Based on client's SSL cipher sequence.
cd ~
curl -O https://www.openssl.org/source/openssl-1.1.0h.tar.gz
curl https://www.openssl.org/source/openssl-1.1.0h.tar.gz.sha256
sha256sum https://www.openssl.org/source/openssl-1.1.0h.tar.gz
## Compare the digest, check the integrity of the source code.
tar -zxvf openssl-1.1.0h.tar.gz
cd openssl-1.1.0h/
patch -p1 < ../chacha_priority.patch
## Assume the patch file is in your home directory(~)
## Assign a directory to avoid the system version of OpenSSL being covered,
## Which may leads to unexpected result.
./config --prefix={install_path} --openssldir=/etc/ssl --Wl,rpath={install_path}/lib
make -j
make install
- Recompile other Apps depends on OpenSSL 1.1.0, add
LDFLAGS="--Wl,rpath={install_path}/lib"
to use the libraries you just compiled. - Use OpenSSL config command
Options:+PrioritizeChaCha
to enable this feature - Do NOT set CHACHA ciphersuites as the first one. (Which will make chacha ALWAYS be the first alternative)
Example configuration for Apache 2.4:
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384
SSLProtocol -All +TLSv1.2
SSLOpenSSLConfCmd Options +PrioritizeChaCha
- OpenSSL Source of version 1.1.0g and 1.1.1-pre4
- https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd_value_type.html
- https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslopensslconfcmd