How to config openssl engine aes-ni in nginx - nginx

I use engine AES-NI increase performance of openssl speed (hardware acceleration) with my chip is supported engine AES-NI (Intel(R) Xeon(R) CPU E5620 # 2.40GHz).
I try install openssl version 1.0.2-chacha and 1.0.1l
Version 1.0.2 chacha when test speed openssl with command:
openssl speed aes-256-cbc
then error:
Error: bad option or value
Version 1.0.1 when config with nginx then error:
nginx: [warn] ENGINE_by_id("aesni") failed (SSL: error:25066067:DSO
support routines:DLFCN_LOAD:could not load the shared
library:filename(/usr/lib/x86_64-linux-gnu/openssl-1.0.1/engines/libaesni.so):
/usr/lib/x86_64-linux-gnu/openssl-1.0.1/engines/libaesni.so: cannot
open shared object file: No such file or directory error:25070067:DSO
support routines:DSO_load:could not load the shared library
error:260B6084:engine routines:DYNAMIC_LOAD:dso not found
error:2606A074:engine routines:ENGINE_by_id:no such engine:id=aesni)
I know for versions of openssl >= 1.0.1, AES-NI does not work via an engine and will not show up in the openssl engine command. It is active by default on the supported hardware.
I see one command in https://www.ruby-forum.com/topic/6873426#1168394 say "no configuration option and it will work as long as your cpu supports it".
But I do not find official sources.
Please suggest a solution for use version openssl and config with nginx.

In OpenSSL >= 1.0.1 AES-NI is enabled by default in the EVP interface, and there is no aesni engine. So in nginx there is no configuration option to enable AES-NI for OpenSSL versions >= 1.0.1 as it is enabled by default in OpenSSL (as long as your CPU supports it). For OpenSSL versions < 1.0.1 there is no official support for AES-NI though there is a patch available.
[http://openssl.6102.n7.nabble.com/having-a-lot-of-troubles-trying-to-get-AES-NI-working-tp44285p44301.html]

Related

Certificate issues for OPC-UA with Qt wrapper

I'm running the qtopcuaviewer example following these instructions to create the client certificate:
# create a self-signed certificate and private key
openssl req -new -x509 -config opcuaviewer.config -newkey rsa:2048 -keyout opcuaviewer.key -nodes -outform der -out opcuaviewer.der
# install the certificate and key into the application PKI directory
mv opcuaviewer.der /path/to/application/pki/own/certs/opcuaviewer.der
mv opcuaviewer.key /path/to/application/pki/own/private/opcuaviewer.pem
# secure private key file permissions
chmod 600 /path/to/application/pki/own/private/opcuaviewer.pem
Here the warnings I get:
Debug: "Creating PKI path '/home/user/bin/pki/trusted/certs': SUCCESS." (../opcuaviewer/mainwindow.cpp:399, bool MainWindow::createPkiPath(const QString&))
Debug: "Creating PKI path '/home/user/bin/pki/trusted/crl': SUCCESS." (../opcuaviewer/mainwindow.cpp:399, bool MainWindow::createPkiPath(const QString&))
Debug: "Creating PKI path '/home/user/bin/pki/issuers/certs': SUCCESS." (../opcuaviewer/mainwindow.cpp:399, bool MainWindow::createPkiPath(const QString&))
Debug: "Creating PKI path '/home/user/bin/pki/issuers/crl': SUCCESS." (../opcuaviewer/mainwindow.cpp:399, bool MainWindow::createPkiPath(const QString&))
Warning: No functional TLS backend was found (:0, )
Warning: No TLS backend is available (:0, )
Warning: No client certificate found at "/home/user/bin/pki/own/certs/opcuaviewer.der" . Application identity will be invalid. (:0, )
First issue
The certificate created with the procedure above is there and it has the correct permissions:
$ ls -l /home/user/bin/pki/own/certs/opcuaviewer.der
-rw-rw-r-- 1 user user 1143 Jan 18 14:57 /home/user/bin/pki/own/certs/opcuaviewer.der
Why does it not find it?
Second issue
The warning about TLS should imply there are some missing library for SSL. But ldd tell me nothing wrong and I have the following libraries installed:
$ dpkg -l | grep libssl
ii libssl-dev:amd64 1.1.1f-1ubuntu2.8 amd64 Secure Sockets Layer toolkit - development files
ii libssl1.1:amd64 1.1.1f-1ubuntu2.8 amd64 Secure Sockets Layer toolkit - shared libraries
$ dpkg -l | grep libk5crypto
ii libk5crypto3:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime libraries - Crypto Library
Is there anything else I need to deploy?
Qt 6.2.0 under Ubuntu 20.04.
You have to deploy the TLS plugin found under:
qt-path/6.2.0/gcc_64/plugins/tls/
and it would solve both issues.

Cannot start h2o

As the title says. I cannot run h20.init.
I have already downloaded the 64 bit version of the Java SE Development Kit 8u291. I also downloaded the xgboost library in R (install.packages("xgboost") ). Finally, I have updated all my NVIDIA drivers and downloaded the latest CUDA (although, tbh I don't even know what that does). I followed the steps described in the NVIDIA forums to avoid the crash I had when installing (i.e. remove integration with visual studio). FWIW I'm using a DELL Inspiron 15 Gaming and it has a NVIDIA GTX 1050 with 4GB.
Here's the full code I'm using (straight from the h2o download instructions except for the first line):
library(xgboost)
library(h2o)
localH2O = h2o.init()
demo(h2o.kmeans)
Any help would be much appreciated.
The full message I get when running the above code chunk:
H2O is not running yet, starting it now...
Note: In case of errors look at the following log files:
C:\Users\<my username>\AppData\Local\Temp\RtmpcdvCce\file1a106074110b/h2o_<my username>_started_from_r.out
C:\Users\<my username>\AppData\Local\Temp\RtmpcdvCce\file1a10253139db/h2o_<my username>_started_from_r.err
java version "15.0.2" 2021-01-19
Java(TM) SE Runtime Environment (build 15.0.2+7-27)
Java HotSpot(TM) 64-Bit Server VM (build 15.0.2+7-27, mixed mode, sharing)
Starting H2O JVM and connecting: ............................................................Diagnostic HTTP Request:
HTTP Status Code: -1
HTTP Error Message: Failed to connect to localhost port 54321: Connection refused
Cannot load library from path lib/windows_64/xgboost4j_gpu.dll
Cannot load library from path lib/xgboost4j_gpu.dll
Failed to load library from both native path and jar!
Cannot load library from path lib/windows_64/xgboost4j_omp.dll
Cannot load library from path lib/xgboost4j_omp.dll
Failed to load library from both native path and jar!
Cannot load library from path lib/windows_64/xgboost4j_minimal.dll
Cannot load library from path lib/xgboost4j_minimal.dll
Failed to load library from both native path and jar!
Failed to add native path to the classpath at runtime
java.io.IOException: Failed to get field handle to set library path
at ai.h2o.xgboost4j.java.NativeLibLoader.addNativeDir(NativeLibLoader.java:229)
at ai.h2o.xgboost4j.java.NativeLibLoader.initXGBoost(NativeLibLoader.java:43)
at ai.h2o.xgboost4j.java.NativeLibLoader.getLoader(NativeLibLoader.java:66)
at hex.tree.xgboost.XGBoostExtension.initXgboost(XGBoostExtension.java:70)
at hex.tree.xgboost.XGBoostExtension.isEnabled(XGBoostExtension.java:51)
at water.ExtensionManager.isEnabled(ExtensionManager.java:189)
at water.ExtensionManager.registerCoreExtensions(ExtensionManager.java:103)
at water.H2O.main(H2O.java:2203)
at water.H2OStarter.start(H2OStarter.java:22)
at water.H2OStarter.start(H2OStarter.java:48)
at water.H2OApp.main(H2OApp.java:12)
Cannot initialize XGBoost backend! Xgboost (enabled GPUs) needs:
- CUDA 8.0
XGboost (minimal version) needs:
- GCC 4.7+
For more details, run in debug mode: `java -Dlog4j.configuration=file:///tmp/log4j.properties -jar h2o.jar`
ERROR: Unknown argument (<my username>/AppData/Local/Temp/RtmpcdvCce)
Usage: java [-Xmx<size>] -jar h2o.jar [options]
(Note that every option has a default and is optional.)
-h | -help
Print this help.
-version
Print version info and exit.
-name <h2oCloudName>
Cloud name used for discovery of other nodes.
Nodes with the same cloud name will form an H2O cloud
(also known as an H2O cluster).
-flatfile <flatFileName>
Configuration file explicitly listing H2O cloud node members.
-ip <ipAddressOfNode>
IP address of this node.
-port <port>
Port number for this node (note: port+1 is also used by default).
(The default port is 54321.)
-network <IPv4network1Specification>[,<IPv4network2Specification> ...]
The IP address discovery code will bind to the first interface
that matches one of the networks in the comma-separated list.
Use instead of -ip when a broad range of addresses is legal.
(Example network specification: '10.1.2.0/24' allows 256 legal
possibilities.)
-ice_root <fileSystemPath>
The directory where H2O spills temporary data to disk.
-log_dir <fileSystemPath>
The directory where H2O writes logs to disk.
(This usually has a good default that you need not change.)
-log_level <TRACE,DEBUG,INFO,WARN,ERRR,FATAL>
Write messages at this logging level, or above. Default is INFO.
-max_log_file_size
Maximum size of INFO and DEBUG log files. The file is rolled over after a specified size has been reached.
(The default is 3MB. Minimum is 1MB and maximum is 99999MB)
-flow_dir <server side directory or HDFS directory>
The directory where H2O stores saved flows.
(The default is 'C:\Users\<my username>\h2oflows'.)
-nthreads <#threads>
Maximum number of threads in the low priority batch-work queue.
(The default is.)
-client
Launch H2O node in client mode.
-notify_local <fileSystemPath>
Specifies a file to write when the node is up. The file contains one line with the IP and
port of the embedded web server. e.g. 192.168.1.100:54321
-context_path <context_path>
The context path for jetty.
Authentication options:
-jks <filename>
Java keystore file
-jks_pass <password>
(Default is 'h2oh2o')
-jks_alias <alias>
(Optional, use if the keystore has multiple certificates and you want to use a specific one.)
-hostname_as_jks_alias
(Optional, use if you want to use the machine hostname as your certificate alias.)
-hash_login
Use Jetty HashLoginService
-ldap_login
Use Jetty Ldap login module
-kerberos_login
Use Jetty Kerberos login module
-spnego_login
Use Jetty SPNEGO login service
-pam_login
Use Jetty PAM login module
-login_conf <filename>
LoginService configuration file
-spnego_properties <filename>
SPNEGO login module configuration file
-form_auth
Enables Form-based authentication for Flow (default is Basic authentication)
-session_timeout <minutes>
Specifies the number of minutes that a session can remain idle before the server invalidates
the session and requests a new login. Requires '-form_auth'. Default is no timeout
-internal_security_conf <filename>
Path (absolute or relative) to a file containing all internal security related configurations
Cloud formation behavior:
New H2O nodes join together to form a cloud at startup time.
Once a cloud is given work to perform, it locks out new members
from joining.
Examples:
Start an H2O node with 4GB of memory and a default cloud name:
$ java -Xmx4g -jar h2o.jar
Start an H2O node with 6GB of memory and a specify the cloud name:
$ java -Xmx6g -jar h2o.jar -name MyCloud
Start an H2O cloud with three 2GB nodes and a default cloud name:
$ java -Xmx2g -jar h2o.jar &
$ java -Xmx2g -jar h2o.jar &
$ java -Xmx2g -jar h2o.jar &
So... after a lot of poking around I found the answer. Windows Defender ughhh was blocking access to the h2o.jar. The solution was to open PowerShell on the h2o java folder and run the h2o.jar using java -jar h2o.jar. Then you'll get the security prompt asking you to authorize the program (I've had to do it every time, so you might want to check your settings). Once you do that h2o.init() runs very smoothly in R.

WooCommerce Gateway PayPal Express Checkout requires OpenSSL >= 1.0.1

I am running OSX Sierra 10.12.5 with PHP 5.6.30 and have a local Wordpress / WooCommerce setup with the "woocommerce-gateway-paypal-express-checkout" plugin installed. I am seeing an error in the admin relating to my OpenSSL version:
WooCommerce Gateway PayPal Express Checkout requires OpenSSL >= 1.0.1 to be installed on your server
I also have other issues with cURL request to https pages, as well as the Wordpress update check not working; which I understand to be related.
In my php info, I have this entry for OpenSSL
OpenSSL support enabled
OpenSSL Library Version LibreSSL 2.2.7
OpenSSL Header Version LibreSSL 2.2.7
Openssl default config /private/etc/ssl/openssl.cnf
From the command line, the version is reported as:
openssl version
OpenSSL 0.9.8zh 14 Jan 2016
which openssl
/usr/bin/openssl
Lastly, the server environment reported by WooCommerce status is:
### Server Environment ###
Server Info: Apache/2.4.25 (Unix) LibreSSL/2.2.7 PHP/5.6.30
PHP Version: 5.6.30
PHP Post Max Size: 8 MB
PHP Time Limit: 31
PHP Max Input Vars: 1000
cURL Version: 7.51.0
SecureTransport
I am at a loss as to how to fix this. I understand that the LibreSSL is a branch of OpenSSL, and is more secure. I have searched for a solution, and several seem to suggest running brew install openssl and then brew upgrade openssl. This doesn't seem to fix the problem. I know there are several similar or related questions, but most of the responses were either a couple of years old, or seemed to cause other problems.
I have several machines with this problem and would really like to get a better understanding for what is going wrong.

OpenSSL Padding Oracle vulnerability (CVE-2016-2107) + Nginx

I was trying Qualys SSL Labs test and It told me that the server is vulnerable to OpenSSL Padding Oracle vulnerability (CVE-2016-2107). I googled around on how to fix this, and although the OpenSSL version installed on my system (Ubuntu 14.04) should be patched for that according to this link I was still getting this error.
I tried upgrading OpenSSL but it was already the newest version, so I installed manually a newer version following the instructions here which went fine, but that didn't fix anything. Looking at the info from Nginx, It seems it still runs with the previous version:
nginx -V
nginx version: nginx/1.10.2
built with OpenSSL 1.0.1f 6 Jan 2014 (running with OpenSSL 1.0.2g-fips 1 Mar 2016)
while OpenSSL has clearly been updated:
openssl version
OpenSSL 1.0.2j 26 Sep 2016
Any idea how to get all this sorted out?
Note that yes, I did restart Nginx, I even tried sudo service nginx upgrade and even rebooted the server.

How to fetch this URL? Getting SSL handshake error

I'm trying to fetch the following URL via various libraries and command-line tools, but running into a SSL handshake error.
> curl https://www.joelosteen.com/Views/RSS/Feed?t=PodcastVideo&ct=CustomList&cst=Podcasts
curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
I've seen here it may be fixed by reducing possible ciphers, but trying this less strict call with restricted ciphers doesn't fix it.
curl -vlkL "https://www.joelosteen.com/Views/RSS/Feed?t=PodcastVideo&ct=CustomList&cst=Podcasts" --ciphers DHE-RSA-AES256-SHA
Any ideas how I can fix this? It's a shared account, ie no root available.
The server supports only TLS version 1.2, i.e. no TLS 1.0 or even SSL 3.0. My guess is that the curl you use is simply too old to use TLS 1.2, but without further details about the version you use this guess can not be verified.
To determine the version of curl use curl --version. If you see it is compiled with OpenSSL than it should show at least version 1.0.1 of OpenSSL to have TLS 1.2 support.
curl -vlkL ... --ciphers DHE-RSA-AES256-SHA
This is not a cipher supported by the server. One of the ciphers supported is AES128-SHA but again, no chance if your curl does not support TLS 1.2.

Resources