Jump to content

[Nanopi NEO2 - Ubuntu] Downgrade/Replace OpenSSL


gurabli

Recommended Posts

Hi,

running Armbian Ubuntu on Nanopi Neo2 and it is working really great.

I would like to implement HPN-SSH but I can't compile any of the OpenSSH versions against OpenSSL 1.1.x present on system. 

 

Any idea if OpenSSL 1.1.x can be safely downgraded to the latest OpenSSL 1.0.x release? I would use for example the method described here

Not sure if OpenSSL 1.0.x would break anything on the system or not?

 

Thanks for your help and advise!

Link to comment
Share on other sites

2 hours ago, gurabli said:

Not sure if OpenSSL 1.0.x would break anything on the system or not?


Hard to say, I don't know without investigation. It's more a question for Ubuntu folks in this case, namely related to Ubuntu Bionic 18.04.y regardless of the architecture. We don't touch nor deal with packages relations. They are the same as upstream.

Link to comment
Share on other sites

5 hours ago, gurabli said:

running Armbian Ubuntu on Nanopi Neo2 and it is working really great.

I would like to implement HPN-SSH but I can't compile any of the OpenSSH versions against OpenSSL 1.1.x present on system. 

 

They have a patch for OpenSSL 1.1x compatibility...

 

https://sourceforge.net/projects/hpnssh/

 

https://github.com/rapier1/openssh-portable

 

 

Link to comment
Share on other sites

12 hours ago, sfx2000 said:

 

They have a patch for OpenSSL 1.1x compatibility...

 

https://sourceforge.net/projects/hpnssh/

 

https://github.com/rapier1/openssh-portable

 

 

 

Yes, I see the patch for OpenSSL 1.1x compatibility, but I get errors when I apply the patch to OpenSSL. Don't know why. And the HPN-SSH patch should be applied after the OpenSSL patch? I'm not too familiar with patching. Did you manage to apply both patches and build OpenSSH?

 

I configured HPN-SSH successfully on my home and VPS servers running Ubuntu Server 16.04 LTS, and the performance is amazing, compared to stock SSH. I can fully max out my ISP upload, I have download speed over remote locations of around 10 MB/s, while on stock SSH it was 1-2,5 MB/s max. 

I'm using aes128-cb cipher now, but no noticeable difference with most ciphers. If a depreciated arcfour cipher is used, then it will give way less stress on SoC, still maintaining encryption, but not too secure. However, it depends on the use case, I stream hts from Tvheadend and want to keep some level of encryption on the stream and server-client communication.  

 

But I really struggle of how to compile HPN-SSH on Armbian, and now I messed up the system and have no access (and it is on a remote location). Yeah, one should never mess with system like this on remote, non-VPS system:) 

Link to comment
Share on other sites

17 hours ago, gurabli said:

 

Yes, I see the patch for OpenSSL 1.1x compatibility, but I get errors when I apply the patch to OpenSSL. Don't know why. And the HPN-SSH patch should be applied after the OpenSSL patch? I'm not too familiar with patching. Did you manage to apply both patches and build OpenSSH?

 

But I really struggle of how to compile HPN-SSH on Armbian, and now I messed up the system and have no access (and it is on a remote location). Yeah, one should never mess with system like this on remote, non-VPS system:) 

 

Lesson learned I suppose - one does not play lightly with OpenSSL/OpenSSH...

 

I don't think it's a good idea to attempt to downgrade OpenSSL on ARMBIAN from the current - mostly because of how deep OpenSSL is in general, and things that use it.

Link to comment
Share on other sites

Yes, lesson learned for sure. I did consider this when I was working on it. Will have access to the device soon. 

 

I will need to configure (hardware) watchdog, I opened a thread about this. In this case watchdod wouldn't help me, but in many other cases certainly would. 

 

Still, I don't get it why I couldn't patch OpenSSL 1.1. 

Link to comment
Share on other sites

1 hour ago, sfx2000 said:

 

Patches are usually against a specific version, and there's a number of 1.1 releases...

Well, I think I mixed up, I wanted to say patch OpenSSH. As the patch is required to be able to build OpenSSH agains OpenSSL 1.1. Still, I apply the patch to the correct version of OpenSSH, and fails. 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines