Add support for equal preference cipher groups about portable HOT 10 OPEN

Unless you use SSL_OP_CIPHER_SERVER_PREFERENCE, the first matching cipher based on the client's preference should be used - are you suggesting this is not the case?

That said, it is currently true that a LibreSSL client will prefer ChaCha20-Poly1305 to any other cipher suite.

from portable.

When not explicitly using SSL_OP_CIPHER_SERVER_PREFERENCE, the client decides which of server's supported cipher suites he wants to use. Generally speaking, it's a very bad idea to leave that task to the client.
We assume that the server administrator will be much faster to react when it comes to new flaws in cipher suites. That's why the first thing you want/have to do if you set up a secure web server is to enable SSL_OP_CIPHER_SERVER_PREFERENCE.
Also see Mitigating the BEAST attack on TLS: http://www.net-security.org/article.php?id=1638

I really like BoringSSL's approach to equally group ciphers.
A server should be able to let a client decide which cipher suite to use iff the server lists multiple ciphers as equally secure.

Are there plans to support group-like cipherlists in the near future?

from portable.

CloudFlares approach is a hack, I like the BoringSSL equal-preference groups approach. I'm crossing fingers that LibreSSL picks this up too, if so then I can stop using BoringSSL :)

It's described in more detail here: include/openssl/ssl.h#638

Rationale and blog posts:
https://www.imperialviolet.org/2014/02/27/tlssymmetriccrypto.html
https://www.zeitgeist.se/2014/08/23/optimize-aes-and-chacha20-usage-with-boringssl/

from portable.

Since r1.81 of ssl_ciph.c, AES has been preferred over Chacha20+Poly1305, if the host has hardware support for AES. That said, we're still looking at supporting equal preference groups.

from portable.

👍 Also see this commit: libressl/openbsd@1958d57
Anyway, imo this is just a hack until we get support for equal-preference ciphersuite groups.

I've just recompiled nginx + libressl (r 1.83 of ssl_ciph.c), but my AES-NI capable server still uses CHACHA20_POLY1305.. What am I doing wrong?
EDIT:
Turns out this change only prefers AES suites in the output of openssl ciphers.
nginx' ssl_ciphers directive overwrites this preference, of course. Stupid me.

from portable.

We assume that the server administrator will be much faster to react when it comes to new flaws in cipher suites. That's why the first thing you want/have to do if you set up a secure web server is to enable SSL_OP_CIPHER_SERVER_PREFERENCE.

History disproves the hypothesis; See below.

Also see Mitigating the BEAST attack on TLS: http://www.net-security.org/article.php?id=1638

Then many lazy server administrators left their servers RC4-preferred or even RC4-only even after 1/n-1 record splitting mitigated the BEAST and many attacks to RC4 are reported.

from portable.

Do we have any update or ETA on this feature ?

from portable.

I'd love to know the status of this as well.

from portable.

btw: nginx now supports setting arbitrary SSL_CONF_cmd options, e.g. PrioritizeChaCha. See nginx/nginx@ac9c162

from portable.

btw: nginx now supports setting arbitrary SSL_CONF_cmd options, e.g. PrioritizeChaCha. See nginx/nginx@ac9c162

Great! Should be released on 27/10/2020 with nginx 1.19.4 release: https://trac.nginx.org/nginx/milestone/nginx-1.19.4.

from portable.