gurabli Posted February 4, 2019 Posted February 4, 2019 Hi, running Armbian Ubuntu on Nanopi Neo2 and it is working really great. I would like to implement HPN-SSH but I can't compile any of the OpenSSH versions against OpenSSL 1.1.x present on system. Any idea if OpenSSL 1.1.x can be safely downgraded to the latest OpenSSL 1.0.x release? I would use for example the method described here Not sure if OpenSSL 1.0.x would break anything on the system or not? Thanks for your help and advise!
Igor Posted February 4, 2019 Posted February 4, 2019 2 hours ago, gurabli said: Not sure if OpenSSL 1.0.x would break anything on the system or not? Hard to say, I don't know without investigation. It's more a question for Ubuntu folks in this case, namely related to Ubuntu Bionic 18.04.y regardless of the architecture. We don't touch nor deal with packages relations. They are the same as upstream.
gurabli Posted February 4, 2019 Author Posted February 4, 2019 Thanks, Igor. I will make a test and see (don't have access to the device now). I read a lot and some say it might brake, some say it wont.
sfx2000 Posted February 4, 2019 Posted February 4, 2019 5 hours ago, gurabli said: running Armbian Ubuntu on Nanopi Neo2 and it is working really great. I would like to implement HPN-SSH but I can't compile any of the OpenSSH versions against OpenSSL 1.1.x present on system. They have a patch for OpenSSL 1.1x compatibility... https://sourceforge.net/projects/hpnssh/ https://github.com/rapier1/openssh-portable
gurabli Posted February 5, 2019 Author Posted February 5, 2019 12 hours ago, sfx2000 said: They have a patch for OpenSSL 1.1x compatibility... https://sourceforge.net/projects/hpnssh/ https://github.com/rapier1/openssh-portable Yes, I see the patch for OpenSSL 1.1x compatibility, but I get errors when I apply the patch to OpenSSL. Don't know why. And the HPN-SSH patch should be applied after the OpenSSL patch? I'm not too familiar with patching. Did you manage to apply both patches and build OpenSSH? I configured HPN-SSH successfully on my home and VPS servers running Ubuntu Server 16.04 LTS, and the performance is amazing, compared to stock SSH. I can fully max out my ISP upload, I have download speed over remote locations of around 10 MB/s, while on stock SSH it was 1-2,5 MB/s max. I'm using aes128-cb cipher now, but no noticeable difference with most ciphers. If a depreciated arcfour cipher is used, then it will give way less stress on SoC, still maintaining encryption, but not too secure. However, it depends on the use case, I stream hts from Tvheadend and want to keep some level of encryption on the stream and server-client communication. But I really struggle of how to compile HPN-SSH on Armbian, and now I messed up the system and have no access (and it is on a remote location). Yeah, one should never mess with system like this on remote, non-VPS system:)
sfx2000 Posted February 6, 2019 Posted February 6, 2019 17 hours ago, gurabli said: Yes, I see the patch for OpenSSL 1.1x compatibility, but I get errors when I apply the patch to OpenSSL. Don't know why. And the HPN-SSH patch should be applied after the OpenSSL patch? I'm not too familiar with patching. Did you manage to apply both patches and build OpenSSH? But I really struggle of how to compile HPN-SSH on Armbian, and now I messed up the system and have no access (and it is on a remote location). Yeah, one should never mess with system like this on remote, non-VPS system:) Lesson learned I suppose - one does not play lightly with OpenSSL/OpenSSH... I don't think it's a good idea to attempt to downgrade OpenSSL on ARMBIAN from the current - mostly because of how deep OpenSSL is in general, and things that use it.
gurabli Posted February 6, 2019 Author Posted February 6, 2019 Yes, lesson learned for sure. I did consider this when I was working on it. Will have access to the device soon. I will need to configure (hardware) watchdog, I opened a thread about this. In this case watchdod wouldn't help me, but in many other cases certainly would. Still, I don't get it why I couldn't patch OpenSSL 1.1.
sfx2000 Posted February 6, 2019 Posted February 6, 2019 1 hour ago, gurabli said: Still, I don't get it why I couldn't patch OpenSSL 1.1. Patches are usually against a specific version, and there's a number of 1.1 releases...
gurabli Posted February 6, 2019 Author Posted February 6, 2019 1 hour ago, sfx2000 said: Patches are usually against a specific version, and there's a number of 1.1 releases... Well, I think I mixed up, I wanted to say patch OpenSSH. As the patch is required to be able to build OpenSSH agains OpenSSL 1.1. Still, I apply the patch to the correct version of OpenSSH, and fails.
Recommended Posts