Closed ghost closed 7 years ago
That's not necessary. Openssl v1.1.0 includes ChaCha20-Poly1305 by default.
@rugk, he meant the draft version. @you990808, you are welcome to add it, if you want.
Well... why not use the stable one? Or what exactly is the draft version?
@rugk, the draft version is used by many Android users. For example, check https://www.ssllabs.com/ssltest/analyze.html?d=www.hansvaneijsden.com&s=84.22.109.49&latest and scroll down. Android 5 and Android 6 clients use the draft version.
The draft version: OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14) The stable version: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
That's why I'm still using OpenSSL 1.0.2j with nginx and not OpenSSL 1.1.0. I would love to have the draft version available in 1.1.0 too. So, @you990808 it would be great if you can add the draft. 😃
@HansVanEijsden Since Chrome on Android uses its own copy of the OpenSSL library, i.e. not the system one that is reported by Qualys, most devices do use the finalized ChaCha20-Poly1305 cipher.
On an unrelated note, is there a way to prefer ChaCha20-Poly1305 only if the client does not support AES-NI, in OpenSSL 1.1.0? I'm currently using the patch on 1.0.2 to do that, but was just wondering.
@Injust Yes, visit https://community.centminmod.com/threads/patch-use-chacha20-poly1305-if-its-the-clients-most-preferred-cipher-openssl-1-1.8603/ for more information and the actual patch code.
is there a way to prefer ChaCha20-Poly1305 only if the client does not support AES-NI, in OpenSSL 1.1.0? I'm currently using the patch on 1.0.2 to do that, but was just wondering.
@xetorixik Already made a patch for it a few weeks ago, thanks for the heads up though.
Can I add chacha20 draft in openssl 1.1.0?