What's new

Experimental BcraFFY (OpenSSL 1.1.x) builds

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Wow. This is a very nice surprise!

@kvic How can we use this with pixelserv-tls? (Can we now use the dynamic version, or will that favour the Entware version of OpenSSL?)

I will try tonight whether I can finally use the enhanced functionality of unbound.

Unbound would have to be recompiled against 1.1.x to make use of it. 1.1.1 is not a drop-in replacement, it's added in parallel to 1.0.2.
 
Unbound would have to be recompiled against 1.1.x to make use of it. 1.1.1 is not a drop-in replacement, it's added in parallel to 1.0.2.
Hm. That makes it more challenging... How would I do this? Since Entware still uses 1.0.2?

The same is true for pixelserv-tls? (I guess the dynamic version currently links to 1.0.2 and the static one includes its own 1.1.x?)
 
Hm. That makes it more challenging... How would I do this? Since Entware still uses 1.0.2?

You'd have to compile your own Unbound version from sources.

The same is true for pixelserv-tls?

Yes. Anything that wanted to use the new 1.1.1 libraries would have to be recompiled, and explicitly linked against the 1.1.1 libraries from these test builds.
 
any pro can make stubby to work with it.
Arm7
 
Yes. Anything that wanted to use the new 1.1.1 libraries would have to be recompiled, and explicitly linked against the 1.1.1 libraries from these test builds.
That's what I thought, but I should have been more explicit in my question: how do I link against those 1.1.1 libraries?

(I'm pretty new to this, but like to learn)

Do I need to build the entire firmware (I'll check the Wiki on how to do that), or is there a shortcut to only build OpenSLL and then unbound?

EDIT: What branch/tag/commit do we need to build?
 
Last edited:
Good read!

My comparison.

Rekeying takes 1 sec, maybe less but can’t see in tenth of seconds.

Client 1, VPN Speed 389.9 VS 389.10 difference more or less at 11Mbps. Server load sould be arround the same but cant be sure.
Capture speed 384.9 vs 384.10.gif


Memory: 389.9 at 342MB Free 170MB
Memory: 389.10 at 349MB Free 163MB

Webui over HTTPS is working fine. Asus mobile application is working fine.

In my case SLL 1.1.1a is slightly more demanding but isn’t a problem for me.
 
Last edited:
Hi.
After update my AC66 to this last build i cannot get to work FTP server.
I downgrade to offical build without erease configs, and it works again.

Code:
FTP_Server: daemon is stopped

Any help?
 
Hi.
After update my AC66 to this last build i cannot get to work FTP server.
I downgrade to offical build without erease configs, and it works again.

Code:
FTP_Server: daemon is stopped

Any help?

Did you do a full reset to factory defaults? Did you use a saved config file or did you do a minimal and manual installation?

https://www.snbforums.com/threads/n...l-and-manual-configuration.27115/#post-205573

If you did not do those things; you will likely be chasing your tail for the bugs you're self-inflicting on yourself. :)
 
Installed 384.10 test build over 384.9 then factory reset and manually input settings

Vpn speed is 86 mb download & 5 mb upload / No Change

Memory 71% / No Change

Asus apps work


Sent from my iPad using Tapatalk
 
That's what I thought, but I should have been more explicit in my question: how do I link against those 1.1.1 libraries?

(I'm pretty new to this, but like to learn)

Do I need to build the entire firmware (I'll check the Wiki on how to do that), or is there a shortcut to only build OpenSLL and then unbound?

EDIT: What branch/tag/commit do we need to build?

It's quite technical, not something I would recommend if you have never cross-compiled anything before. You will need to add OpenSSL 1.1.x to your code tree, and point your stubby build recipes at that directory instead of the current 1.0.2 one.


The OpenSSL 1.1.1 code is not on my public repo yet. It's currently on a private repo, so I can test various things / rewrite previous commits as I progress. It will get merged to the public repo if/when I decide to officially integrate it and I am done cleaning up all those commits.

I can share my current build recipes for people willing to experiment, but you're really on your own with that for the time being - I don't really have the time or the patience to hand hold anyone there. Sorry.

Code:
openssl-1.1.x/Makefile:
    cd openssl-1.1.x && \
    ./Configure $(HOSTCONFIG) -O2 -DOPENSSL_NO_BUF_FREELISTS --prefix=/usr --openssldir=/etc --cross-compile-prefix=' ' \
    -ffunction-sections -fdata-sections -Wl,--gc-sections \
    shared $(OPENSSL_CIPHERS) no-ssl3 no-err no-async --api=1.0.0 \
    $(if $(filter y,$(HND_ROUTER)),,-DOPENSSL_PREFER_CHACHA_OVER_GCM)
    -@$(MAKE) -C openssl-1.1.x depend clean
    @touch $@

openssl-1.1.x: openssl-1.1.x/Makefile
    $(MAKE) -C openssl-1.1.x

openssl-1.1.x-clean:
    [ ! -f openssl-1.1.x/Makefile ] || $(MAKE) -C openssl-1.1.x clean
    @rm -f openssl-1.1.x/Makefile

openssl-1.1.x-install:
    $(SEP)
    if [ -f openssl-1.1.x/Makefile ] ; then \
        install -D openssl-1.1.x/libcrypto.so.1.1 $(INSTALLDIR)/openssl-1.1.x/usr/lib/libcrypto.so.1.1 ; \
        install -D openssl-1.1.x/libssl.so.1.1 $(INSTALLDIR)/openssl-1.1.x/usr/lib/libssl.so.1.1 ; \
        $(STRIP) $(INSTALLDIR)/openssl-1.1.x/usr/lib/libssl.so.1.1 ; \
        $(STRIP) $(INSTALLDIR)/openssl-1.1.x/usr/lib/libcrypto.so.1.1 ; \
        install -D openssl-1.1.x/apps/openssl $(INSTALLDIR)$(INSTALLSUBDIR)/usr/sbin/openssl11 ; \
        $(STRIP) $(INSTALLDIR)$(INSTALLSUBDIR)/usr/sbin/openssl11 ; \
        chmod 0500 $(INSTALLDIR)$(INSTALLSUBDIR)/usr/sbin/openssl11 ; \
    fi

openssl-1.1.x-stage:
    $(MAKE) -C openssl-1.1.x install_sw INSTALL_PREFIX=$(STAGEDIR)


(for those wondering about that -O2, it actually speeds up OpenSSL compared to -O3, probably due to increased cache hits on these processors with very limited amounts of cache. So I override the default config that uses -O3).
 
I can share my current build recipes for people willing to experiment, but you're really on your own with that for the time being - I don't really have the time or the patience to hand hold anyone there. Sorry.
No problem at all. I was not expecting that.

Thank you for sharing your config! I might give that another try this weekend (I failed today).
 
For most services OpenSSL 1.1.1 was patched so it will favor Chacha ahead of AES for models that lack AES acceleration (which means slightly better performance for accessing the webui over https, for example).

OpenWRT is doing similar with their approach...

See below for recent changes related to OpenSSL on the master...

Code:
commit 29b69e840a44fad518d9d9ecd93966d0d2a4f076
Author: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date:   Wed Jan 30 08:42:11 2019 -0200

    openssl: add package for openssl.cnf, misc changes
   
    - Add the /etc/ssl/openssl.cnf as a separate package, to avoid breaking
      the transitional mechanism, allowing libopenssl_1.0* and
      libopenssl_1.1* to coexist.
   
    - Remove the (selecting) dependency on @KERNEL_AIO
   
    - Use global SOURCE_DATE_EPOCH
   

commit 2eeb2853ed3199c3bb65d3498e02ac36526befb4
Author: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date:   Wed Oct 24 16:28:59 2018 -0300

    openssl: optimizations based on ARCH/small flash
   
    Add a patch to enable the option to change the default ciphersuite list
    ordering to prefer ChaCha20 over AES-GCM.  This is used by default for
    all platforms, except for x86_64 and aarch64. The assumption is that
    only the latter have AES-specific CPU instructions and asm code that
    uses them in openssl.  Chacha20Poly1305 is 3x faster than AES-256 in
    systems without AES instructions, with an equivalent strength.
   
    Disable error messages by default except for devices with small flash or
    RAM, to aid debugging.
   
    Disable ASM by default on arm platform with small flash.  Size
    difference on mips and powerpc, the other platforms with small flash
    devices, are not really relevant (using 100K as a threshold).  All of
    the affected platforms are source-only anyway.
   
commit d872d00b2f7e31b98e11e83922d1aaefc270647e
Author: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date:   Wed Oct 24 11:25:00 2018 -0300

    openssl: update to version 1.1.1a
   
    This version adds the following functionality:
      * TLS 1.3
      * AFALG engine support for hardware accelleration
      * x25519 ECC curve support
      * CRIME protection: disable use of compression by default
      * Support for ChaCha20 and Poly1305
   
    Patches fixing bugs in the /dev/crypto engine were applied, from
    https://github.com/openssl/openssl/pull/7585
   
    This increses the size of the ipk binray on MIPS32 by about 32%:
    old:
    693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
    193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk
   
    new:
    912.493 bin/packages/mips_24kc/base/libopenssl1.1_1.1.1a-2_mips_24kc.ipk
    239.316 bin/packages/mips_24kc/base/openssl-util_1.1.1a-2_mips_24kc.ipk
   
commit be3892284ca77a69615351b106b8dfbadad728c4
Author: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date:   Mon Oct 22 11:32:56 2018 -0300

    openssl: add configuration options, disable ssl3
   
    Adds the following configuration options:
    * using optimized assembler code (was always on before)
    * use of x86 SSE2 instructions
    * dyanic engine support
    * include error messages
    * Camellia, Gost, Idea, MDC2, Seed & Whirlpool algorithms
    * RFC3779, CMS protocols
    * VIA padlock hardware acceleration engine
   
    Installs openssl.cnf with the library as it is used by engines
    independent of the openssl util.
   
    Fixes DTLS option that was innefective before.
   
    Disables insecure SSL3 protocol and SHA0.

    Adds openwrt-specific targets to Configure script, including asm support
    for i386, ppc and mips64.
   
    Strips building dirs from CFLAGS shown in binary.
   
    Skips the fuzz directory during build.
   
    Removed include/crypto/devcrypto.h that was included here, to use the
    cryptodev-linux package, now that it was been moved from the packages
    feed to the main openwrt repository.
   
    This decreses the size of the ipk binray on MIPS32 by about 3.3%:
    old:
    706.957 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
    199.294 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk
   
    new:
    693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
    193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk
 
Last edited:
OpenWRT is doing similar with their approach...

See attached for recent changes related to OpenSSL on the master...

I know. They use the same patch as me.
 
Some of that patch might be useful for the old-school MIPSEL targets...

It will benefit any ARM model that uses a BCM4708/BCM4709 as well, which was why I included it. However I no longer support any MIPSEL model.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top