1 1
gurabli

[Nanopi NEO2 - Ubuntu] Downgrade/Replace OpenSSL

Recommended Posts

Hi,

running Armbian Ubuntu on Nanopi Neo2 and it is working really great.

I would like to implement HPN-SSH but I can't compile any of the OpenSSH versions against OpenSSL 1.1.x present on system. 

 

Any idea if OpenSSL 1.1.x can be safely downgraded to the latest OpenSSL 1.0.x release? I would use for example the method described here

Not sure if OpenSSL 1.0.x would break anything on the system or not?

 

Thanks for your help and advise!

Share this post


Link to post
Share on other sites
2 hours ago, gurabli said:

Not sure if OpenSSL 1.0.x would break anything on the system or not?


Hard to say, I don't know without investigation. It's more a question for Ubuntu folks in this case, namely related to Ubuntu Bionic 18.04.y regardless of the architecture. We don't touch nor deal with packages relations. They are the same as upstream.

Share this post


Link to post
Share on other sites

Thanks, Igor. 

I will make a test and see (don't have access to the device now). 

I read a lot and some say it might brake, some say it wont.

Share this post


Link to post
Share on other sites
12 hours ago, sfx2000 said:

 

They have a patch for OpenSSL 1.1x compatibility...

 

https://sourceforge.net/projects/hpnssh/

 

https://github.com/rapier1/openssh-portable

 

 

 

Yes, I see the patch for OpenSSL 1.1x compatibility, but I get errors when I apply the patch to OpenSSL. Don't know why. And the HPN-SSH patch should be applied after the OpenSSL patch? I'm not too familiar with patching. Did you manage to apply both patches and build OpenSSH?

 

I configured HPN-SSH successfully on my home and VPS servers running Ubuntu Server 16.04 LTS, and the performance is amazing, compared to stock SSH. I can fully max out my ISP upload, I have download speed over remote locations of around 10 MB/s, while on stock SSH it was 1-2,5 MB/s max. 

I'm using aes128-cb cipher now, but no noticeable difference with most ciphers. If a depreciated arcfour cipher is used, then it will give way less stress on SoC, still maintaining encryption, but not too secure. However, it depends on the use case, I stream hts from Tvheadend and want to keep some level of encryption on the stream and server-client communication.  

 

But I really struggle of how to compile HPN-SSH on Armbian, and now I messed up the system and have no access (and it is on a remote location). Yeah, one should never mess with system like this on remote, non-VPS system:) 

Share this post


Link to post
Share on other sites
17 hours ago, gurabli said:

 

Yes, I see the patch for OpenSSL 1.1x compatibility, but I get errors when I apply the patch to OpenSSL. Don't know why. And the HPN-SSH patch should be applied after the OpenSSL patch? I'm not too familiar with patching. Did you manage to apply both patches and build OpenSSH?

 

But I really struggle of how to compile HPN-SSH on Armbian, and now I messed up the system and have no access (and it is on a remote location). Yeah, one should never mess with system like this on remote, non-VPS system:) 

 

Lesson learned I suppose - one does not play lightly with OpenSSL/OpenSSH...

 

I don't think it's a good idea to attempt to downgrade OpenSSL on ARMBIAN from the current - mostly because of how deep OpenSSL is in general, and things that use it.

Share this post


Link to post
Share on other sites

Yes, lesson learned for sure. I did consider this when I was working on it. Will have access to the device soon. 

 

I will need to configure (hardware) watchdog, I opened a thread about this. In this case watchdod wouldn't help me, but in many other cases certainly would. 

 

Still, I don't get it why I couldn't patch OpenSSL 1.1. 

Share this post


Link to post
Share on other sites
1 hour ago, gurabli said:

Still, I don't get it why I couldn't patch OpenSSL 1.1. 

 

Patches are usually against a specific version, and there's a number of 1.1 releases...

Share this post


Link to post
Share on other sites
1 hour ago, sfx2000 said:

 

Patches are usually against a specific version, and there's a number of 1.1 releases...

Well, I think I mixed up, I wanted to say patch OpenSSH. As the patch is required to be able to build OpenSSH agains OpenSSL 1.1. Still, I apply the patch to the correct version of OpenSSH, and fails. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
1 1