lolware - now with libressl

So Much Win


Nginx with libressl

For various reasons, OpenSSL has been forked by the OpenBSD team. You can read about it http://www.libressl.org here. At present, it's just a library, and it's just for OpenBSD. Here, we compile under Linux and link to nginx. Let me start by saying: someone is going to make a song and dance of pointing out that you shouldn't do this in a production environment, and will feel smug about it. That person won't have read the below advice. My custom RPM also includes mod_randpad, which you can use to apply randomised amounts of padding to replies. This is largely an academic exercise and, unless explicitly enable in the config, will do nothing. Reasons you should not do this are:
With that said, reasons you would do this are:

The process we work with is:
Start with Busterb's fantastic port
To make a particular snapshot of this into a distributable tarball, the following script exists:
git clone https://github.com/busterb/libressl.git
git checkout fbbc8570
cd libressl
./autogen.sh
tar zcvf libressl-fbbc8570.tar.gz libressl/

nginx source
Obtain the official nginx source RPM. Starting from this point gives us init scripts, logrotate scripts, and configuration options more in line with a standard build than compiling from source.
Patch up the build
By editing the spec file: Build the RPM for redistribution and installation
rpmbuild -ba nginx.spec
Overall, the fact this website is running on this product, and hasn't missed a beat, demonstrates to me that:

 
I have made my RPM available here and placed all the files needed to make it yourself here.

Update - Now supports Chacha20

LibreSSL have taken the fantastic step of importing Google's Chacha20 patches, meaning Google Chrome users can finally migrate away from AES. This is an even more unstable process because it's based on a draft - but it works. You can find the current Github source references a version that includes this support.
I'm using this configuration:
ssl_ciphers "ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-CHACHA20-POLY1305 EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";

More Update: Now patches in TLS_FALLBACK_SCSV