From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] OpenSSL: drop preferring of Chacha20/Poly1305 over AES-GCM
Date: Mon, 04 Nov 2019 18:27:51 +0000 [thread overview]
Message-ID: <BE70D812-5B9C-4438-838E-6961733EE23D@ipfire.org> (raw)
In-Reply-To: <04de0dcf-7bb6-6075-2681-56e541e153fd@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 8038 bytes --]
Hi,
Acked-by: Michael Tremer <michael.tremer(a)ipfire.org>
> On 4 Nov 2019, at 18:24, peter.mueller(a)ipfire.org wrote:
>
> As hardware acceleration for AES is emerging (Fireinfo indicates
> 30.98% of reporting installations support this, compared to
> 28.22% in summer), there is no more reason to manually prefer
> Chacha20/Poly1305 over it.
>
> Further, overall performance is expected to increase as server
> CPUs usually come with AES-NI today, where Chacha/Poly would
> be an unnecessary bottleneck. Small systems without AES-NI,
> however, compute Chacha/Poly measurable, but not significantly faster,
> so there only was a small advantage of this.
I would like to highlight that practically all mobile phones have AES-NI as well and that we do not have any applications here which have very heavy encryption load where this could not be changed to something that would suit the used hardware better.
>
> This patch changes the OpenSSL default ciphersuite to:
>
> TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
> TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
> TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
> ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
> ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
> ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
> ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
> ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
> ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
> ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
> ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=Camellia(256) Mac=SHA384
> ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
> ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(256) Mac=SHA384
> ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
> ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=Camellia(128) Mac=SHA256
> ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
> ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(128) Mac=SHA256
> DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
> DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
> DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
> DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
> DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA256
> DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
> DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA256
> ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
> ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
> ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
> ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
> DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
> DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
> DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
> DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
> AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
> AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
> AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
> CAMELLIA256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA256
> AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
> CAMELLIA128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA256
> AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
> CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
> AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
> CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> lfs/openssl | 2 +-
> src/patches/openssl-1.1.1c-default-cipherlist.patch | 18 ------------------
> src/patches/openssl-1.1.1d-default-cipherlist.patch | 11 +++++++++++
> 3 files changed, 12 insertions(+), 19 deletions(-)
> delete mode 100644 src/patches/openssl-1.1.1c-default-cipherlist.patch
> create mode 100644 src/patches/openssl-1.1.1d-default-cipherlist.patch
>
> diff --git a/lfs/openssl b/lfs/openssl
> index f5aa7c3f9..8d978f171 100644
> --- a/lfs/openssl
> +++ b/lfs/openssl
> @@ -117,7 +117,7 @@ $(subst %,%_MD5,$(objects)) :
> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> @$(PREBUILD)
> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
> - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.1c-default-cipherlist.patch
> + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.1d-default-cipherlist.patch
>
> # Apply our CFLAGS
> cd $(DIR_APP) && sed -i Configure \
> diff --git a/src/patches/openssl-1.1.1c-default-cipherlist.patch b/src/patches/openssl-1.1.1c-default-cipherlist.patch
> deleted file mode 100644
> index 72f6ce3b1..000000000
> --- a/src/patches/openssl-1.1.1c-default-cipherlist.patch
> +++ /dev/null
> @@ -1,18 +0,0 @@
> -diff -Naur openssl-1.1.1c.orig/include/openssl/ssl.h openssl-1.1.1c/include/openssl/ssl.h
> ---- openssl-1.1.1c.orig/include/openssl/ssl.h 2019-06-10 20:41:21.209140012 +0200
> -+++ openssl-1.1.1c/include/openssl/ssl.h 2019-06-10 20:42:26.733973129 +0200
> -@@ -170,11 +170,11 @@
> - * an application-defined cipher list string starts with 'DEFAULT'.
> - * This applies to ciphersuites for TLSv1.2 and below.
> - */
> --# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
> -+# define SSL_DEFAULT_CIPHER_LIST "CHACHA20:HIGH:+aRSA:+SHA384:+SHA256:+DH:+SHA:+kRSA:!eNULL:!aNULL:!PSK:!SRP:!AESCCM:!DSS"
> - /* This is the default set of TLSv1.3 ciphersuites */
> - # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
> --# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
> -- "TLS_CHACHA20_POLY1305_SHA256:" \
> -+# define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \
> -+ "TLS_AES_256_GCM_SHA384:" \
> - "TLS_AES_128_GCM_SHA256"
> - # else
> - # define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
> diff --git a/src/patches/openssl-1.1.1d-default-cipherlist.patch b/src/patches/openssl-1.1.1d-default-cipherlist.patch
> new file mode 100644
> index 000000000..5ad7829e7
> --- /dev/null
> +++ b/src/patches/openssl-1.1.1d-default-cipherlist.patch
> @@ -0,0 +1,11 @@
> +--- openssl-1.1.1d.orig/include/openssl/ssl.h 2019-11-04 19:13:08.801905796 +0100
> ++++ openssl-1.1.1d/include/openssl/ssl.h 2019-11-04 19:14:05.229896747 +0100
> +@@ -170,7 +170,7 @@
> + * an application-defined cipher list string starts with 'DEFAULT'.
> + * This applies to ciphersuites for TLSv1.2 and below.
> + */
> +-# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
> ++# define SSL_DEFAULT_CIPHER_LIST "HIGH:+aRSA:+SHA384:+SHA256:+DH:+SHA:+kRSA:!eNULL:!aNULL:!PSK:!SRP:!AESCCM:!DSS"
> + /* This is the default set of TLSv1.3 ciphersuites */
> + # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
> + # define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
> --
> 2.16.4
prev parent reply other threads:[~2019-11-04 18:27 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-04 18:24 peter.mueller
2019-11-04 18:27 ` Michael Tremer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BE70D812-5B9C-4438-838E-6961733EE23D@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox