From: ummeegge <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] OpenSSL_update: Update to version 1.1.1a
Date: Mon, 11 Feb 2019 09:52:27 +0100 [thread overview]
Message-ID: <161805aa58cc9c071780428082141dc699764640.camel@ipfire.org> (raw)
In-Reply-To: <a3044a33-1dff-be6a-621d-ebdbe4527900@link38.eu>
[-- Attachment #1: Type: text/plain, Size: 6026 bytes --]
Hi all,
On Fr, 2019-01-18 at 18:06 +0100, Peter Müller wrote:
> Hello,
>
> just for the records some explanations on this patch:
> (a) Chacha/Poly is faster on devices without built-in AES
> acceleration.
> Since it provides the same strength as AES, I usually prefer it
> except
> for _very_ high bandwidth requirements.
> (b) At the moment, there seems to be little support of AESCCM, so I
> disabled it for now in order to keep our ciphersuite zoo smaller. :-)
> If there is any need to enable it, I will update the patch
> accordingly.
it seems that unbound uses AES-CCM. With version 1.9.0 which Matthias
has already pushed, some new directives for DoT has been introduced.
Please take a look to unbound example configurations -->
https://github.com/NLnetLabs/unbound/blob/master/doc/example.conf.in
under "cipher setting for TLSv1.3" .
So it might be an idea to enable AESCCM !?
>
> I am happy this made its way into IPFire. :-)
>
> Updated add-on versions for Postfix and Tor will come soon, at the
> moment, I am somewhat busy with libloc, Suricata and the ORANGE
> default
> firewall behaviour.
>
> Thanks, and best regards,
> Peter Müller
>
> >
> > Even i use the old patch i am a happy tester with 64 bit since one
> > month + :-).
> >
> > The difference between old and new patch (from Peter) are not that
> > vast
> > and they looks like this:
> >
> > --- OpenSSL-1.1.1a_old_patch 2019-01-13 18:15:33.316651666
> > +0100
> > +++ OpenSSL-1.1.1a-new_patch 2019-01-13 18:16:22.008650232
> > +0100
> > @@ -1,31 +1,23 @@
> > -TLS_AES_256_GCM_SHA384 TLSv1.3
> > Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
> > TLS_CHACHA20_POLY1305_SHA256 TLSv1.3
> > Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
> > +TLS_AES_256_GCM_SHA384 TLSv1.3
> > Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
> > TLS_AES_128_GCM_SHA256 TLSv1.3
> > Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
> > -ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA
> > Enc=AESGCM(256) Mac=AEAD
> > ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA
> > Enc=CHACHA20/POLY1305(256) Mac=AEAD
> > -ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH Au=ECDSA
> > Enc=AESCCM8(256) Mac=AEAD
> > -ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=ECDH Au=ECDSA
> > Enc=AESCCM(256) Mac=AEAD
> > +ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA
> > Enc=AESGCM(256) Mac=AEAD
> > ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA
> > Enc=AESGCM(128) Mac=AEAD
> > -ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=ECDH Au=ECDSA
> > Enc=AESCCM8(128) Mac=AEAD
> > -ECDHE-ECDSA-AES128-CCM TLSv1.2 Kx=ECDH Au=ECDSA
> > Enc=AESCCM(128) Mac=AEAD
> > ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA
> > Enc=AES(256) Mac=SHA384
> > ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA
> > Enc=Camellia(256) Mac=SHA384
> > ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA
> > Enc=AES(128) Mac=SHA256
> > ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA
> > Enc=Camellia(128) Mac=SHA256
> > -ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2
> > Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
> > ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2
> > Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
> > +ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2
> > Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
> > ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2
> > Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
> > ECDHE-RSA-AES256-SHA384 TLSv1.2
> > Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
> > ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2
> > Kx=ECDH Au=RSA Enc=Camellia(256) Mac=SHA384
> > ECDHE-RSA-AES128-SHA256 TLSv1.2
> > Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
> > ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2
> > Kx=ECDH Au=RSA Enc=Camellia(128) Mac=SHA256
> > -DHE-RSA-AES256-GCM-SHA384 TLSv1.2
> > Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
> > DHE-RSA-CHACHA20-POLY1305 TLSv1.2
> > Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
> > -DHE-RSA-AES256-CCM8 TLSv1.2
> > Kx=DH Au=RSA Enc=AESCCM8(256) Mac=AEAD
> > -DHE-RSA-AES256-CCM TLSv1.2
> > Kx=DH Au=RSA Enc=AESCCM(256) Mac=AEAD
> > +DHE-RSA-AES256-GCM-SHA384 TLSv1.2
> > Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
> > DHE-RSA-AES128-GCM-SHA256 TLSv1.2
> > Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
> > -DHE-RSA-AES128-CCM8 TLSv1.2
> > Kx=DH Au=RSA Enc=AESCCM8(128) Mac=AEAD
> > -DHE-RSA-AES128-CCM TLSv1.2
> > Kx=DH Au=RSA Enc=AESCCM(128) Mac=AEAD
> > DHE-RSA-AES256-SHA256 TLSv1.2
> > Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
> > DHE-RSA-CAMELLIA256-SHA256 TLSv1.2
> > Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA256
> > DHE-RSA-AES128-SHA256 TLSv1.2
> > Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
> > @@ -37,14 +29,9 @@
> > DHE-RSA-AES256-SHA SSLv3
> > Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
> > DHE-RSA-CAMELLIA256-SHA SSLv3
> > Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
> > DHE-RSA-AES128-SHA SSLv3
> > Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
> > -DHE-RSA-SEED-SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128)
> > Mac=SHA1
> > DHE-RSA-CAMELLIA128-SHA SSLv3
> > Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
> > AES256-GCM-SHA384 TLSv1.2
> > Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
> > -AES256-CCM8 TLSv1.2
> > Kx=RSA Au=RSA Enc=AESCCM8(256) Mac=AEAD
> > -AES256-CCM TLSv1.2
> > Kx=RSA Au=RSA Enc=AESCCM(256) Mac=AEAD
> > AES128-GCM-SHA256 TLSv1.2
> > Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
> > -AES128-CCM8 TLSv1.2
> > Kx=RSA Au=RSA Enc=AESCCM8(128) Mac=AEAD
> > -AES128-CCM TLSv1.2
> > Kx=RSA Au=RSA Enc=AESCCM(128) Mac=AEAD
> > AES256-SHA256 TLSv1.2
> > Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
> > CAMELLIA256-SHA256 TLSv1.2
> > Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA256
> > AES128-SHA256 TLSv1.2
> > Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
> >
> > So mostly changes are causing by the disabled AES-CCM.
> >
Best,
Erik
next prev parent reply other threads:[~2019-02-11 8:52 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-09 14:21 Erik Kapfer
2019-01-09 16:39 ` Michael Tremer
2019-01-09 16:59 ` ummeegge
2019-01-09 17:18 ` Michael Tremer
2019-01-09 18:33 ` ummeegge
2019-01-14 18:03 ` Peter Müller
2019-01-15 14:48 ` ummeegge
2019-01-18 15:09 ` Michael Tremer
2019-01-18 16:45 ` ummeegge
2019-01-18 17:06 ` Peter Müller
2019-01-18 17:35 ` ummeegge
2019-01-22 14:19 ` Michael Tremer
2019-02-11 8:52 ` ummeegge [this message]
2019-02-13 11:35 ` Michael Tremer
2019-01-13 17:44 ` [PATCH v2] OpenSSL: " Erik Kapfer
2019-01-15 14:43 ` [PATCH v3] openssl: " Erik Kapfer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=161805aa58cc9c071780428082141dc699764640.camel@ipfire.org \
--to=ummeegge@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox