Discover Centmin Mod today
Register Now

OpenSSL [NEW PATCH]Use ChaCha20+Poly1305 only if it is prioritized by the client - OpenSSL 1.1

Discussion in 'CentOS, Redhat & Oracle Linux News' started by bassie, Dec 8, 2017.

  1. bassie

    bassie Active Member

    570
    124
    43
    Apr 29, 2016
    Ratings:
    +376
    Local Time:
    10:11 AM
    OpenSSL 1.1.1dev has official support for ChaCha cipher priority, since a few days or so.

    With this ported patch. OpenSSL 1.1.0 will do the same.
    ChaCha20+Poly1305 will be used if it is the client's most preferred cipher and if its is used as ssl_ciphers in Nginx (position does not matter).

    OpenSSL 1.1.0G - Use ChaCha only if it is prioritized by the client - with fix.
    OpenSSL 1.1.0G - Use ChaCha only if it is prioritized by the client - vanilla.

    Nginx test ssl_ciphers: ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+CHACHA20:!MD5;

    Before:

    [​IMG]
    After:

    [​IMG]

    [​IMG]

    Upstream test suite plus documentation code does not form part of this patch.
    The test suite won't work anyway as OpenSSL is compiled with Nginx and not compiled c.q. installed as stand alone.
    Therefore the documentation and ChaCha cipher priority test suite is not included.

    Most Android devices are using Chacha draft (better known as Old_Chacha).
    Chacha draft was removed from the final OpenSSL 1.1 release.
    OpenSSL 1.1 only supports the final Chacha standard.

    Please note that Nginx does not support SSL_OP_PRIORITIZE_CHACHA yet but only SSL_OP_CIPHER_SERVER_PREFERENCE.

    Therefore as attachment a second patch with the original sourcecode plus fix to select ChaCha if the client has ChaCha first, and Nginx server cipher priority is used.

    I am not active in software development, this is pure mathematics and algorithmics.
    Thereby this contribution is purely out of interest.

    Nothing more or less than that I have had fun.
     
    Last edited: Dec 8, 2017
    • Informative Informative x 2
  2. eva2000

    eva2000 Administrator Staff Member

    30,960
    6,918
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,419
    Local Time:
    7:11 PM
    Nginx 1.13.x
    MariaDB 5.5
    thanks for sharing and providing the info/heads up. Will take some time for to digest as I haven't been online as much this past week heh