[issue27766] Add ChaCha20 Poly1305 to SSL ciphers

2016-09-24 Thread Christian Heimes
Changes by Christian Heimes : -- dependencies: -ssl: get CPU cap flags for AESNI and PCLMULQDQ resolution: -> fixed stage: commit review -> resolved status: open -> closed ___ Python tracker

[issue27766] Add ChaCha20 Poly1305 to SSL ciphers

2016-09-15 Thread Christian Heimes
Changes by Christian Heimes : -- assignee: -> christian.heimes components: +SSL ___ Python tracker ___

[issue27766] Add ChaCha20 Poly1305 to SSL ciphers

2016-09-06 Thread Christian Heimes
Christian Heimes added the comment: See #27850. ChaCha20 is even less relevant for 3.3 an 3.4. It either requires LibreSSL, patch #26470 or a patched OpenSSL installation. -- nosy: +georg.brandl, larry stage: -> commit review ___ Python tracker

[issue27766] Add ChaCha20 Poly1305 to SSL ciphers

2016-09-06 Thread Roundup Robot
Roundup Robot added the comment: New changeset d209fd77 by Christian Heimes in branch '3.5': Issues #27850 and #27766: Remove 3DES from ssl default cipher list and add ChaCha20 Poly1305. https://hg.python.org/cpython/rev/d209fd77 New changeset 6f4f19217d9b by Christian Heimes in branch

[issue27766] Add ChaCha20 Poly1305 to SSL ciphers

2016-08-19 Thread Francis MB
Francis MB added the comment: Documentation cosmetic: # * Prefer ECDHE over DHE for better performance # * Prefer any AES-GCM over any AES-CBC for better performance and security +# * Prefer any AES-GCM over any AES-CBC for better performance and security The patch seems to be adding

[issue27766] Add ChaCha20 Poly1305 to SSL ciphers

2016-08-15 Thread Christian Heimes
Changes by Christian Heimes : -- dependencies: +Make OpenSSL module compatible with OpenSSL 1.1.0, ssl: add public API for IA-32 processor capabilities vector ___ Python tracker

[issue27766] Add ChaCha20 Poly1305 to SSL ciphers

2016-08-15 Thread Alex Gaynor
Alex Gaynor added the comment: Exposing it in some way would be good, but we can make that a seperate issue. -- ___ Python tracker ___

[issue27766] Add ChaCha20 Poly1305 to SSL ciphers

2016-08-15 Thread Cory Benfield
Cory Benfield added the comment: Christian: Certainly I'd like to be able to use that API from within urllib3 and Twisted. Having something public would be really convenient. Of course, it'd be good if OpenSSL exposed something useful here, but in the absence of that Python would be

[issue27766] Add ChaCha20 Poly1305 to SSL ciphers

2016-08-15 Thread Christian Heimes
Christian Heimes added the comment: Cory, Alex: Do you like to have a public API for CPU feature discovery? I don't mind to make OPENSSL_ia32cap_loc() a public API or even expose the bit set as structure with nice field names. Decorater: This ticket is not a vote on favorite packages.

[issue27766] Add ChaCha20 Poly1305 to SSL ciphers

2016-08-15 Thread Decorater
Decorater added the comment: tbh I personally perfer aiohttp over requests. -- nosy: +Decorater ___ Python tracker ___

[issue27766] Add ChaCha20 Poly1305 to SSL ciphers

2016-08-15 Thread Cory Benfield
Cory Benfield added the comment: Update for Requests+urllib3 is here: https://github.com/shazow/urllib3/pull/947 Update for Twisted is here: https://twistedmatrix.com/trac/ticket/8760 -- ___ Python tracker

[issue27766] Add ChaCha20 Poly1305 to SSL ciphers

2016-08-15 Thread Christian Heimes
Christian Heimes added the comment: On 2016-08-15 13:09, Alex Gaynor wrote: > > Alex Gaynor added the comment: > > So, for servers really what we care about is if the _client_ has > PCLMULQDQ/AESNI, not whether the server itself does. Unfortunately, there's > no sane way to do this. For

[issue27766] Add ChaCha20 Poly1305 to SSL ciphers

2016-08-15 Thread Alex Gaynor
Alex Gaynor added the comment: Simply doing AES-GCM before ChaCha20 is probably the simplest thing to start with, can always get fancier later. -- ___ Python tracker

[issue27766] Add ChaCha20 Poly1305 to SSL ciphers

2016-08-15 Thread Cory Benfield
Cory Benfield added the comment: Yup. So for Requests at least, the fix is easy: because OpenSSL kindly just quietly ignores cipher suites it doesn't know about we can unconditionally add it to the requests/urllib3 cipher string. In the first instance we'll just do it statically, and then we

[issue27766] Add ChaCha20 Poly1305 to SSL ciphers

2016-08-15 Thread Alex Gaynor
Alex Gaynor added the comment: So, for servers really what we care about is if the _client_ has PCLMULQDQ/AESNI, not whether the server itself does. Unfortunately, there's no sane way to do this. Haven't reviewed this patch in terribly much detail, but conceptually fine. Cory, we should make

[issue27766] Add ChaCha20 Poly1305 to SSL ciphers

2016-08-15 Thread Christian Heimes
Changes by Christian Heimes : -- keywords: +patch Added file: http://bugs.python.org/file44117/Add-ChaCha20-Poly1305-to-SSL-ciphers.patch ___ Python tracker

[issue27766] Add ChaCha20 Poly1305 to SSL ciphers

2016-08-15 Thread Cory Benfield
Changes by Cory Benfield : -- nosy: +Lukasa ___ Python tracker ___ ___ Python-bugs-list

[issue27766] Add ChaCha20 Poly1305 to SSL ciphers

2016-08-15 Thread Christian Heimes
Christian Heimes added the comment: On X86 and X86_64 AES-NI and PCLMULQDQ can be detected with OPENSSL_ia32cap_loc(). https://www.openssl.org/docs/man1.0.2/crypto/OPENSSL_ia32cap_loc.html -- ___ Python tracker

[issue27766] Add ChaCha20 Poly1305 to SSL ciphers

2016-08-15 Thread Christian Heimes
Changes by Christian Heimes : -- type: behavior -> security ___ Python tracker ___ ___

[issue27766] Add ChaCha20 Poly1305 to SSL ciphers

2016-08-15 Thread Christian Heimes
New submission from Christian Heimes: The ssl module has two cipher suite configurations, one for server-side and the other for client-side. Issue #26470 will add OpenSSL 1.1.0 support, which will introduce new cipher suites with ChaCha 20 stream cipher and Poly1305 authenticator. CHAHA20