Nginx 1.16 for CentOS with TLS 1.3 and HTTP/2 support

These packages provide stable Nginx release for CentOS enabled with TLS v1.3 and HTTP/2 support (TLS ALPN). This is implemented by statically linking OpenSSL 1.1.1 to Nginx binaries. In contrast to standard Nginx.org package repo provided Nginx binaries which are using shared system OpenSSL libraries with missing latest OpenSSL features.

Exove Nginx packages bundles with:

  • OpenSSL 1.1.1d (statically linked to Nginx binaries)
  • PCRE 8.43 library with JIT enabled
  • Performance optimizations like SSE2 optimizations from GCC 7.3 and TCP Fast Open

The bundled ngx_pagespeed module has source code hosted at https://github.com/pagespeed/ngx_pagespeed

Exove with their systems engineers are maintaining these RPM packages. You can tweet your questions to @istenrot.

Packages

Build is based on Nginx.org provided RPM packages thus configuration files are the same. Nginx sources and OpenSSL sources are GPG signature verified before build, so when you verify RPM packages Exove signature you can be sure that Nginx and OpenSSL are from official sources.

When you have exove-centos-release package installed and the included Yum repo enabled you'll get these packages:

 * nginx
   The Nginx web server stable release 1.16 with OpenSSL 1.1.1d.
   Latest release: nginx-1.16.1-3 (2019-09-10)

 * nginx-module-pagespeed
   ngx_pagespeed 1.13.35.2 using PSOL 1.13.35.2-x64 as a dynamic module.
   Latest release: nginx-module-pagespeed-1.16.1-3 (2019-09-10)

 * nginx-module-geoip2
   Nginx GeoIP2 dynamic module.
   Latest release: nginx-module-geoip2-1.16.1-3 (2019-09-10)

 * nginx-module-geoip
   Nginx GeoIP dynamic module.
   Latest release: nginx-module-geoip-1.16.1-3 (2019-09-10)

OpenSSL 1.1.1 benefits

TLS v1.3 support

TLS v1.3 is the latest version of Transport Layer Security protocol defined in RFC 8446. Read more about it from CloudFlare blog: https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/

IMPORTANT NOTE ABOUT BROWSER COMPATIBILITY!

TLS v1.3 final spec is implemented in Chrome release 70 and OpenSSL 1.1.1 is compatible with it. Previous Chrome versions use draft versions of TLS v1.3 spec and those are not compatible with OpenSSL 1.1.1.

Firefox release 63 is expected to implement the TLS v1.3 final spesification version.

ChaCha20-Poly1305 cipher suites

ChaCha20-Poly1305 cipher suites are faster on mobile CPUs that don't have build-in AES hardware acceleration. It's also faster on server CPUs. Therefore they're recommended over AES encryption algoritgms. Read more about ChaCha20-Poly1305 from CloudFlare blog: https://blog.cloudflare.com/it-takes-two-to-chacha-poly/

More safe ECC algorithms

ECDHE cipher suites use Elliptic-curve Cryptography (ECC) for secret key exchanges between servers and clients. ECDHE is preferred as older DHE key exchange is based on prime number generator based groups which are possibly vulnerable to various attack types.

But not all ECC curves are considered safe.

OpenSSL 1.1.1 supports X448 DH function. OpenSSL 1.1.1 and 1.1.0 support X25519 DH function for ECDHE ciper suites. X25519 is based on Curve25519 which is considered safe by many scientits. Read more about safe curves: https://safecurves.cr.yp.to/

Detailed features of the statically linked OpenSSL with this Nginx build

Cipher suites

To prefer TLS v1.3 cipher suites first, then ECDHE key exchange ciper suites, then ChaCha20-Poly1305 cipher suites, then smaller ECDSA certificates and lastly rest of the cipher suites with EC key echange use this cipher suite spesification on Nginx configuration:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers ALL+CHACHA20+aECDSA,ALL+AES+aECDSA,ALL+CHACHA20+kECDHE,ALL+AES+kECDHE,ALL+AES+kDHE!kRSA!aDSS!PSK!aNULL!eNULL;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/pki/tls/misc/dhparam-4096.pem;

Note! I personally don't think servers should enforce cipher suite preferences. Clients know themselves better which cipher suites are best for their spesific hardware and energy efficiency. Always limit the list of available cipher suites for clients to pick from to those that are all secure enough for your application.

This will produce following list of chiper suites in order of server preference:

# TLS v1.3 cipher suites
0x13,0x02 - TLS_AES_256_GCM_SHA384 - TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
0x13,0x01 - TLS_AES_128_GCM_SHA256 - TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD

# ECDSA certificate cipher suites with ECDHE key exchange algorithms
0xCC,0xA9 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
0xC0,0x2C - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
0xC0,0xAF - TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 - ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(256) Mac=AEAD
0xC0,0xAD - TLS_ECDHE_ECDSA_WITH_AES_256_CCM - ECDHE-ECDSA-AES256-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(256) Mac=AEAD
0xC0,0x2B - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
0xC0,0xAE - TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 - ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(128) Mac=AEAD
0xC0,0xAC - TLS_ECDHE_ECDSA_WITH_AES_128_CCM - ECDHE-ECDSA-AES128-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(128) Mac=AEAD
0xC0,0x24 - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
0xC0,0x23 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
0xC0,0x0A - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
0xC0,0x09 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1

# RSA certificate cipher suites with ECDHE key exchange algorithms
0xCC,0xA8 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
0xC0,0x30 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
0xC0,0x2F - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
0xC0,0x28 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
0xC0,0x27 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
0xC0,0x14 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
0xC0,0x13 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1

# The rest with DHE key exchange algorithm
0x00,0x9F - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
0xC0,0xA3 - TLS_DHE_RSA_WITH_AES_256_CCM_8 - DHE-RSA-AES256-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(256) Mac=AEAD
0xC0,0x9F - TLS_DHE_RSA_WITH_AES_256_CCM - DHE-RSA-AES256-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(256) Mac=AEAD
0x00,0x9E - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
0xC0,0xA2 - TLS_DHE_RSA_WITH_AES_128_CCM_8 - DHE-RSA-AES128-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(128) Mac=AEAD
0xC0,0x9E - TLS_DHE_RSA_WITH_AES_128_CCM - DHE-RSA-AES128-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(128) Mac=AEAD
0x00,0x6B - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
0x00,0x67 - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
0x00,0x39 - TLS_DHE_RSA_WITH_AES_256_CBC_SHA - DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
0x00,0x33 - TLS_DHE_RSA_WITH_AES_128_CBC_SHA - DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1

An example dhparam file dhparam-4096.pem with known good MODP group from RFC 3526:

-----BEGIN DH PARAMETERS-----
MIICCAKCAgEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
+S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0BjGZ//////////8CAQI=
-----END DH PARAMETERS-----

List of supported named stadard ECC curves

In addition to X25519 and X448 DH functions for key exchange OpenSSL 1.1.1 supports these ECC curves:

# openssl ecparam -list_curves

secp112r1 : SECG/WTLS curve over a 112 bit prime field
secp112r2 : SECG curve over a 112 bit prime field
secp128r1 : SECG curve over a 128 bit prime field
secp128r2 : SECG curve over a 128 bit prime field
secp160k1 : SECG curve over a 160 bit prime field
secp160r1 : SECG curve over a 160 bit prime field
secp160r2 : SECG/WTLS curve over a 160 bit prime field
secp192k1 : SECG curve over a 192 bit prime field
secp224k1 : SECG curve over a 224 bit prime field
secp224r1 : NIST/SECG curve over a 224 bit prime field
secp256k1 : SECG curve over a 256 bit prime field
secp384r1 : NIST/SECG curve over a 384 bit prime field
secp521r1 : NIST/SECG curve over a 521 bit prime field
prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field
prime192v2: X9.62 curve over a 192 bit prime field
prime192v3: X9.62 curve over a 192 bit prime field
prime239v1: X9.62 curve over a 239 bit prime field
prime239v2: X9.62 curve over a 239 bit prime field
prime239v3: X9.62 curve over a 239 bit prime field
prime256v1: X9.62/SECG curve over a 256 bit prime field
sect113r1 : SECG curve over a 113 bit binary field
sect113r2 : SECG curve over a 113 bit binary field
sect131r1 : SECG/WTLS curve over a 131 bit binary field
sect131r2 : SECG curve over a 131 bit binary field
sect163k1 : NIST/SECG/WTLS curve over a 163 bit binary field
sect163r1 : SECG curve over a 163 bit binary field
sect163r2 : NIST/SECG curve over a 163 bit binary field
sect193r1 : SECG curve over a 193 bit binary field
sect193r2 : SECG curve over a 193 bit binary field
sect233k1 : NIST/SECG/WTLS curve over a 233 bit binary field
sect233r1 : NIST/SECG/WTLS curve over a 233 bit binary field
sect239k1 : SECG curve over a 239 bit binary field
sect283k1 : NIST/SECG curve over a 283 bit binary field
sect283r1 : NIST/SECG curve over a 283 bit binary field
sect409k1 : NIST/SECG curve over a 409 bit binary field
sect409r1 : NIST/SECG curve over a 409 bit binary field
sect571k1 : NIST/SECG curve over a 571 bit binary field
sect571r1 : NIST/SECG curve over a 571 bit binary field
c2pnb163v1: X9.62 curve over a 163 bit binary field
c2pnb163v2: X9.62 curve over a 163 bit binary field
c2pnb163v3: X9.62 curve over a 163 bit binary field
c2pnb176v1: X9.62 curve over a 176 bit binary field
c2tnb191v1: X9.62 curve over a 191 bit binary field
c2tnb191v2: X9.62 curve over a 191 bit binary field
c2tnb191v3: X9.62 curve over a 191 bit binary field
c2pnb208w1: X9.62 curve over a 208 bit binary field
c2tnb239v1: X9.62 curve over a 239 bit binary field
c2tnb239v2: X9.62 curve over a 239 bit binary field
c2tnb239v3: X9.62 curve over a 239 bit binary field
c2pnb272w1: X9.62 curve over a 272 bit binary field
c2pnb304w1: X9.62 curve over a 304 bit binary field
c2tnb359v1: X9.62 curve over a 359 bit binary field
c2pnb368w1: X9.62 curve over a 368 bit binary field
c2tnb431r1: X9.62 curve over a 431 bit binary field
wap-wsg-idm-ecid-wtls1: WTLS curve over a 113 bit binary field
wap-wsg-idm-ecid-wtls3: NIST/SECG/WTLS curve over a 163 bit binary field
wap-wsg-idm-ecid-wtls4: SECG curve over a 113 bit binary field
wap-wsg-idm-ecid-wtls5: X9.62 curve over a 163 bit binary field
wap-wsg-idm-ecid-wtls6: SECG/WTLS curve over a 112 bit prime field
wap-wsg-idm-ecid-wtls7: SECG/WTLS curve over a 160 bit prime field
wap-wsg-idm-ecid-wtls8: WTLS curve over a 112 bit prime field
wap-wsg-idm-ecid-wtls9: WTLS curve over a 160 bit prime field
wap-wsg-idm-ecid-wtls10: NIST/SECG/WTLS curve over a 233 bit binary field
wap-wsg-idm-ecid-wtls11: NIST/SECG/WTLS curve over a 233 bit binary field
wap-wsg-idm-ecid-wtls12: WTLS curve over a 224 bit prime field
Oakley-EC2N-3: 
      IPSec/IKE/Oakley curve #3 over a 155 bit binary field.
      Not suitable for ECDSA.
      Questionable extension field!
Oakley-EC2N-4: 
      IPSec/IKE/Oakley curve #4 over a 185 bit binary field.
      Not suitable for ECDSA.
      Questionable extension field!
brainpoolP160r1: RFC 5639 curve over a 160 bit prime field
brainpoolP160t1: RFC 5639 curve over a 160 bit prime field
brainpoolP192r1: RFC 5639 curve over a 192 bit prime field
brainpoolP192t1: RFC 5639 curve over a 192 bit prime field
brainpoolP224r1: RFC 5639 curve over a 224 bit prime field
brainpoolP224t1: RFC 5639 curve over a 224 bit prime field
brainpoolP256r1: RFC 5639 curve over a 256 bit prime field
brainpoolP256t1: RFC 5639 curve over a 256 bit prime field
brainpoolP320r1: RFC 5639 curve over a 320 bit prime field
brainpoolP320t1: RFC 5639 curve over a 320 bit prime field
brainpoolP384r1: RFC 5639 curve over a 384 bit prime field
brainpoolP384t1: RFC 5639 curve over a 384 bit prime field
brainpoolP512r1: RFC 5639 curve over a 512 bit prime field
brainpoolP512t1: RFC 5639 curve over a 512 bit prime field
SM2       : SM2 curve over a 256 bit prime field

Other OpenSSSL 1.1.1 new features

You can read more about OpenSSL 1.1.1 release new features from this blog post: https://www.openssl.org/blog/blog/2018/09/11/release111/