Open
Bug 1279584
Opened 8 years ago
Updated 5 months ago
Prioritize ChaCha20/Poly1305 ciphers over AES-GCM when AES-NI instruction set is not available
Categories
(NSS :: Build, defect, P3)
Tracking
(Not tracked)
UNCONFIRMED
People
(Reporter: josealbertoni, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [nss-fx])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0 Build ID: 20160604131506 Steps to reproduce: ChaCha20/Poly1305 has reached GA recently, but AES-GCM cipher suites are being prioritized even when AES-NI instruction set is not available (old processor). ChaCha20/Poly1305 should be preferred in this case.
|
||
Comment 1•8 years ago
|
||
Are there any firm plans yet for moving forward on this? It would be a big help for FF users that lack AES-NI, when connecting to servers that support client selection within the strong-cipher set (e.g. those using BoringSSL's equal preference groups, or those using simplistic chapoly client-preference patches on OpenSSL-1.1).
|
||
Updated•6 years ago
|
Priority: -- → P3
|
||
Comment 2•6 years ago
|
||
OpenSSL 1.1.1 has a flag SSL_OP_PRIORITIZE_CHACHA that causes servers which are configured to generally prefer server ciphers over client ciphers to make an exception for clients that prefer ChaCha20 (https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_clear_options.html). As a generalization of this hack, OpenSSL may support "equal-preference grouping" in the future (https://github.com/openssl/openssl/issues/5050). It would therefore be awesome if, like Chrome, Firefox could prioritize ChaCha20 over AES on systems that don't support AES-NI.
|
||
Comment 3•6 years ago
|
||
Franziskus, can you get me a estimate on what this would take?
Flags: needinfo?(franziskuskiefer)
|
|
||
Comment 4•6 years ago
|
||
There are runtime switches for these hardware acceleration features in freebl already. So switching depending on those shouldn't be too hard. However, the cipher suite list in NSS is static and is controlled by the application. So if NSS should do changes here, this would require some new machinery to sort cipher suite lists on init. But that can be done relatively easily. The main issue is that Firefox will use a pretty slow ChaCha implementation when AES-NI isn't available, i.e. Firefox won't use NEON on Android. I'm not sure if the effort is worth it for other old platforms.
Flags: needinfo?(franziskuskiefer)
|
|
||
Comment 5•6 years ago
|
||
So we'd need a bunch of runtime feature-detection if's. Hmmm.
|
||
Updated•3 years ago
|
Whiteboard: [nss-fx]
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•