Re: LibReSSL CHACHA20/POLY1305
On 14/11/14 13:28, Jérémie Courrèges-Anglas wrote: > Renaud Allard writes: > >> On 11/14/2014 10:12 AM, Jonathan Gray wrote: Now openssl ciphers CHACHA20 works as intended # openssl ciphers CHACHA20 ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-PO LY1305 >>> This is already present in rev 1.68/-current >>> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/ssl/ssl_ciph.c.di ff?r2=1.68&r1=1.67&f=u >>> >>> >> So now, I have set in nginx.conf this >> ssl_ciphers !aNULL:AES256:AES128:CHACHA20:@STRENGTH; >> >> But using sslscan, I still get: >> FailedTLSv1 256 bits ECDHE-ECDSA-CHACHA20-POLY1305 > I guess it means that you didn't feed with nginx an ecdsa cert. > It seems that the problem is in sslscan itself. When I use Qualys SSL labs to test, it successfully lists CHACHA20 ciphers. [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: LibReSSL CHACHA20/POLY1305
On 11/14/2014 01:28 PM, Jérémie Courrèges-Anglas wrote: Renaud Allard writes: On 11/14/2014 10:12 AM, Jonathan Gray wrote: Now openssl ciphers CHACHA20 works as intended # openssl ciphers CHACHA20 ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305 This is already present in rev 1.68/-current http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/ssl/ssl_ciph.c.diff?r2=1.68&r1=1.67&f=u So now, I have set in nginx.conf this ssl_ciphers !aNULL:AES256:AES128:CHACHA20:@STRENGTH; But using sslscan, I still get: FailedTLSv1 256 bits ECDHE-ECDSA-CHACHA20-POLY1305 I guess it means that you didn't feed with nginx an ecdsa cert. OK, indeed, but those ones are also failing: FailedTLSv1 256 bits ECDHE-RSA-CHACHA20-POLY1305 FailedTLSv1 256 bits DHE-RSA-CHACHA20-POLY1305 And that one is working: Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
Re: LibReSSL CHACHA20/POLY1305
Renaud Allard writes: > On 11/14/2014 10:12 AM, Jonathan Gray wrote: >>> >>> Now openssl ciphers CHACHA20 works as intended >>> # openssl ciphers CHACHA20 >>> ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305 >> >> This is already present in rev 1.68/-current >> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/ssl/ssl_ciph.c.diff?r2=1.68&r1=1.67&f=u >> >> > So now, I have set in nginx.conf this > ssl_ciphers !aNULL:AES256:AES128:CHACHA20:@STRENGTH; > > But using sslscan, I still get: > FailedTLSv1 256 bits ECDHE-ECDSA-CHACHA20-POLY1305 I guess it means that you didn't feed with nginx an ecdsa cert. > Is that somewhere else? -- jca | PGP: 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: LibReSSL CHACHA20/POLY1305
On 11/14/2014 10:12 AM, Jonathan Gray wrote: Now openssl ciphers CHACHA20 works as intended # openssl ciphers CHACHA20 ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305 This is already present in rev 1.68/-current http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/ssl/ssl_ciph.c.diff?r2=1.68&r1=1.67&f=u So now, I have set in nginx.conf this ssl_ciphers !aNULL:AES256:AES128:CHACHA20:@STRENGTH; But using sslscan, I still get: FailedTLSv1 256 bits ECDHE-ECDSA-CHACHA20-POLY1305 Is that somewhere else?
Re: LibReSSL CHACHA20/POLY1305
On Fri, Nov 14, 2014 at 10:04:16AM +0100, Renaud Allard wrote:
> Hello,
>
> On 11/14/2014 09:04 AM, Renaud Allard wrote:
> >Hello,
> >
> >I am trying this on 5.6-stable.
> >Is there a way to list all POLY1305/CHACHA20 based ciphers which are
> >enabled?
> >
> >For example, if I try with RSA:
> ># openssl ciphers RSA
> >AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-MD5:DES-CBC3-SHA:DES-CBC-SHA:NULL-SHA256:NULL-SHA:NULL-MD5
> >
> >
> >But with the others:
> ># openssl ciphers POLY1305
> >Error in cipher list1082963419196:error:1410D0B9:SSL
> >routines:SSL_CTX_set_cipher_list:no cipher
> >match:/usr/src/lib/libssl/ssl/../../libssl/src/ssl/ssl_lib.c:1312:
> ># openssl ciphers CHACHA20
> >Error in cipher list
> >32850802282556:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
> >cipher match:/usr/src/lib/libssl/ssl/../../libssl/src/ssl/ssl_lib.c:1312:
> >
> >However, trying something like this works:
> ># openssl ciphers ECDHE-ECDSA-CHACHA20-POLY1305
> >ECDHE-ECDSA-CHACHA20-POLY1305
> >
> >The idea is to be able to enable them in configuration files of services
> >without having to list them all by hand (which might change).
> >
> >Thanks
> >
> >
>
> Replying to my own mail...
>
> Here is a patch:
> --- lib/libssl/src/ssl/ssl_ciph.c.old Fri Nov 14 09:30:56 2014
> +++ lib/libssl/src/ssl/ssl_ciph.c Fri Nov 14 09:49:47 2014
> @@ -433,6 +433,10 @@
> .name = SSL_TXT_CAMELLIA,
> .algorithm_enc = SSL_CAMELLIA128|SSL_CAMELLIA256,
> },
> + {
> + .name = SSL_TXT_CHACHA20,
> + .algorithm_enc = SSL_CHACHA20POLY1305,
> + },
>
> /* MAC aliases */
> {
>
>
> Now openssl ciphers CHACHA20 works as intended
> # openssl ciphers CHACHA20
> ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305
This is already present in rev 1.68/-current
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/ssl/ssl_ciph.c.diff?r2=1.68&r1=1.67&f=u
Re: LibReSSL CHACHA20/POLY1305
Hello,
On 11/14/2014 09:04 AM, Renaud Allard wrote:
Hello,
I am trying this on 5.6-stable.
Is there a way to list all POLY1305/CHACHA20 based ciphers which are
enabled?
For example, if I try with RSA:
# openssl ciphers RSA
AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-MD5:DES-CBC3-SHA:DES-CBC-SHA:NULL-SHA256:NULL-SHA:NULL-MD5
But with the others:
# openssl ciphers POLY1305
Error in cipher list1082963419196:error:1410D0B9:SSL
routines:SSL_CTX_set_cipher_list:no cipher
match:/usr/src/lib/libssl/ssl/../../libssl/src/ssl/ssl_lib.c:1312:
# openssl ciphers CHACHA20
Error in cipher list
32850802282556:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher match:/usr/src/lib/libssl/ssl/../../libssl/src/ssl/ssl_lib.c:1312:
However, trying something like this works:
# openssl ciphers ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-ECDSA-CHACHA20-POLY1305
The idea is to be able to enable them in configuration files of services
without having to list them all by hand (which might change).
Thanks
Replying to my own mail...
Here is a patch:
--- lib/libssl/src/ssl/ssl_ciph.c.old Fri Nov 14 09:30:56 2014
+++ lib/libssl/src/ssl/ssl_ciph.c Fri Nov 14 09:49:47 2014
@@ -433,6 +433,10 @@
.name = SSL_TXT_CAMELLIA,
.algorithm_enc = SSL_CAMELLIA128|SSL_CAMELLIA256,
},
+ {
+ .name = SSL_TXT_CHACHA20,
+ .algorithm_enc = SSL_CHACHA20POLY1305,
+ },
/* MAC aliases */
{
Now openssl ciphers CHACHA20 works as intended
# openssl ciphers CHACHA20
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305
LibReSSL CHACHA20/POLY1305
Hello, I am trying this on 5.6-stable. Is there a way to list all POLY1305/CHACHA20 based ciphers which are enabled? For example, if I try with RSA: # openssl ciphers RSA AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-MD5:DES-CBC3-SHA:DES-CBC-SHA:NULL-SHA256:NULL-SHA:NULL-MD5 But with the others: # openssl ciphers POLY1305 Error in cipher list1082963419196:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:/usr/src/lib/libssl/ssl/../../libssl/src/ssl/ssl_lib.c:1312: # openssl ciphers CHACHA20 Error in cipher list 32850802282556:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:/usr/src/lib/libssl/ssl/../../libssl/src/ssl/ssl_lib.c:1312: However, trying something like this works: # openssl ciphers ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-CHACHA20-POLY1305 The idea is to be able to enable them in configuration files of services without having to list them all by hand (which might change). Thanks
