RE: patch for make depend, chacha
IMHO, that's a good call. If a 'broken' algorithm gets in, it tends to stay there for a very long time. DES_OLD, SHA0 are examples already in the OpenSSL code base. Something else that could easily be killed now. Pete-owner-openssl-...@openssl.org wrote: - To: "openssl-dev@openssl.org" openssl-dev@openssl.orgFrom: "Salz, Rich" <rs...@akamai.com> Sent by: owner-openssl-...@openssl.orgDate: 06/04/2014 02:31AM Subject: RE: patch for make depend, chacha Is there somebody working on it to get Chacha/Poly cipher suites production ready? It's expected that the way the ciphers are used will change as it goes through the IETF TLS group. Therefore, Google has not been encouraging folks to pick up and use these patches other than an "on your own" basis until after the they're done. (They == IETF and GOOG I suppose:) /r$-- Principal Security EngineerAkamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz:I"rm(Z+7zZ)1xhW^^% j.+-1j:+vh __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: patch for make depend, chacha
Hi Peter and Rich, thx for your answer, I needed to decipher them first though ;-) (http://marc.info/?l=openssl-devm=140181264527042w=2, http://marc.info/?l=openssl-devm=140186408414195w=2). 1-2 points to this: If it's broken (@Peter) why is it in the git tree or why was it accepted? Google's server have Chacha/Poly in production, so has Chrome. So it would be cool to have something working within OpenSSL, also if it's not right now production ready. As of now it doesn't work -- at least not for me. Besides the minor make depend obstacle: If I start a server (s_server -accept 443 -www) and use s_client to connect, I see the server is offering the three 0xcc1{3-5} cipher suites, but both client and server throw error messages upon connect with each of those cipher suites. I maybe have a very selfish reason as I wrote a small shell script (https://testssl.sh/) testing cipher suites and other stuff, mostly using openssl. But I guess as it is deployed by google everywhere there are more important reasons to get it working within openssl, no? Cheers, Dirk On Tue, Jun 03, 2014 at 10:55:13AM +0200, Dirk Wetter wrote: Hi, pls see attached. Is there somebody working on it to get Chacha/Poly cipher suites production ready? Cheers, Dirk --- crypto/chacha/Makefile.orig 2014-06-03 10:49:51.082287334 +0200 +++ crypto/chacha/Makefile2014-06-03 10:50:07.496433689 +0200 @@ -21,7 +21,7 @@ APPS= LIB=$(TOP)/libcrypto.a -LIBSRC= +LIBSRC=chacha_vec.c LIBOBJ=$(CHACHA_ENC) SRC= $(LIBSRC) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: patch for make depend, chacha
On Wed, Jun 4, 2014 at 8:35 AM, Dirk Wetter d...@testssl.sh wrote: If it's broken (@Peter) why is it in the git tree or why was it accepted? It would be best if that branch were dropped. It's not maintained and doesn't reflect the current spec. Cheers AGL __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
RE: patch for make depend, chacha
Is there somebody working on it to get Chacha/Poly cipher suites production ready? It's expected that the way the ciphers are used will change as it goes through the IETF TLS group. Therefore, Google has not been encouraging folks to pick up and use these patches other than an on your own basis until after the they're done. (They == IETF and GOOG I suppose:) /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz