OpenSSL: drop preferring of Chacha20/Poly1305 over AES-GCM

Message ID 04de0dcf-7bb6-6075-2681-56e541e153fd@ipfire.org
State Staged
Commit e153efaf11a673a02ff81b10e09305463d22ffaf
Headers show
Series
  • OpenSSL: drop preferring of Chacha20/Poly1305 over AES-GCM
Related show

Commit Message

Peter Müller Nov. 4, 2019, 6:24 p.m. UTC
As hardware acceleration for AES is emerging (Fireinfo indicates
30.98% of reporting installations support this, compared to
28.22% in summer), there is no more reason to manually prefer
Chacha20/Poly1305 over it.

Further, overall performance is expected to increase as server
CPUs usually come with AES-NI today, where Chacha/Poly would
be an unnecessary bottleneck. Small systems without AES-NI,
however, compute Chacha/Poly measurable, but not significantly faster,
so there only was a small advantage of this.

This patch changes the OpenSSL default ciphersuite to:

TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 lfs/openssl                                         |  2 +-
 src/patches/openssl-1.1.1c-default-cipherlist.patch | 18 ------------------
 src/patches/openssl-1.1.1d-default-cipherlist.patch | 11 +++++++++++
 3 files changed, 12 insertions(+), 19 deletions(-)
 delete mode 100644 src/patches/openssl-1.1.1c-default-cipherlist.patch
 create mode 100644 src/patches/openssl-1.1.1d-default-cipherlist.patch

Comments

Michael Tremer Nov. 4, 2019, 6:27 p.m. UTC | #1
Hi,

Acked-by: Michael Tremer <michael.tremer@ipfire.org>

> On 4 Nov 2019, at 18:24, peter.mueller@ipfire.org wrote:
> 
> As hardware acceleration for AES is emerging (Fireinfo indicates
> 30.98% of reporting installations support this, compared to
> 28.22% in summer), there is no more reason to manually prefer
> Chacha20/Poly1305 over it.
> 
> Further, overall performance is expected to increase as server
> CPUs usually come with AES-NI today, where Chacha/Poly would
> be an unnecessary bottleneck. Small systems without AES-NI,
> however, compute Chacha/Poly measurable, but not significantly faster,
> so there only was a small advantage of this.

I would like to highlight that practically all mobile phones have AES-NI as well and that we do not have any applications here which have very heavy encryption load where this could not be changed to something that would suit the used hardware better.

> 
> This patch changes the OpenSSL default ciphersuite to:
> 
> TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
> TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
> TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
> ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
> ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
> ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
> ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
> ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
> ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
> ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
> ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
> ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
> ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
> ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
> ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
> ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
> ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
> DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
> DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
> DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
> DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
> DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
> DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
> DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
> ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
> ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
> ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
> ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
> DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
> DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
> DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
> DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
> AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
> AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
> AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
> CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
> AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
> CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
> AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
> CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
> AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
> CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
> 
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> lfs/openssl                                         |  2 +-
> src/patches/openssl-1.1.1c-default-cipherlist.patch | 18 ------------------
> src/patches/openssl-1.1.1d-default-cipherlist.patch | 11 +++++++++++
> 3 files changed, 12 insertions(+), 19 deletions(-)
> delete mode 100644 src/patches/openssl-1.1.1c-default-cipherlist.patch
> create mode 100644 src/patches/openssl-1.1.1d-default-cipherlist.patch
> 
> diff --git a/lfs/openssl b/lfs/openssl
> index f5aa7c3f9..8d978f171 100644
> --- a/lfs/openssl
> +++ b/lfs/openssl
> @@ -117,7 +117,7 @@ $(subst %,%_MD5,$(objects)) :
> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> 	@$(PREBUILD)
> 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
> -	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.1c-default-cipherlist.patch
> +	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.1d-default-cipherlist.patch
> 
> 	# Apply our CFLAGS
> 	cd $(DIR_APP) && sed -i Configure \
> diff --git a/src/patches/openssl-1.1.1c-default-cipherlist.patch b/src/patches/openssl-1.1.1c-default-cipherlist.patch
> deleted file mode 100644
> index 72f6ce3b1..000000000
> --- a/src/patches/openssl-1.1.1c-default-cipherlist.patch
> +++ /dev/null
> @@ -1,18 +0,0 @@
> -diff -Naur openssl-1.1.1c.orig/include/openssl/ssl.h openssl-1.1.1c/include/openssl/ssl.h
> ---- openssl-1.1.1c.orig/include/openssl/ssl.h	2019-06-10 20:41:21.209140012 +0200
> -+++ openssl-1.1.1c/include/openssl/ssl.h	2019-06-10 20:42:26.733973129 +0200
> -@@ -170,11 +170,11 @@
> -  * an application-defined cipher list string starts with 'DEFAULT'.
> -  * This applies to ciphersuites for TLSv1.2 and below.
> -  */
> --# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
> -+# define SSL_DEFAULT_CIPHER_LIST "CHACHA20:HIGH:+aRSA:+SHA384:+SHA256:+DH:+SHA:+kRSA:!eNULL:!aNULL:!PSK:!SRP:!AESCCM:!DSS"
> - /* This is the default set of TLSv1.3 ciphersuites */
> - # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
> --#  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
> --                                   "TLS_CHACHA20_POLY1305_SHA256:" \
> -+#  define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \
> -+                                   "TLS_AES_256_GCM_SHA384:" \
> -                                    "TLS_AES_128_GCM_SHA256"
> - # else
> - #  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
> diff --git a/src/patches/openssl-1.1.1d-default-cipherlist.patch b/src/patches/openssl-1.1.1d-default-cipherlist.patch
> new file mode 100644
> index 000000000..5ad7829e7
> --- /dev/null
> +++ b/src/patches/openssl-1.1.1d-default-cipherlist.patch
> @@ -0,0 +1,11 @@
> +--- openssl-1.1.1d.orig/include/openssl/ssl.h	2019-11-04 19:13:08.801905796 +0100
> ++++ openssl-1.1.1d/include/openssl/ssl.h	2019-11-04 19:14:05.229896747 +0100
> +@@ -170,7 +170,7 @@
> +  * an application-defined cipher list string starts with 'DEFAULT'.
> +  * This applies to ciphersuites for TLSv1.2 and below.
> +  */
> +-# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
> ++# define SSL_DEFAULT_CIPHER_LIST "HIGH:+aRSA:+SHA384:+SHA256:+DH:+SHA:+kRSA:!eNULL:!aNULL:!PSK:!SRP:!AESCCM:!DSS"
> + /* This is the default set of TLSv1.3 ciphersuites */
> + # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
> + #  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
> -- 
> 2.16.4

Patch

diff --git a/lfs/openssl b/lfs/openssl
index f5aa7c3f9..8d978f171 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -117,7 +117,7 @@  $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.1c-default-cipherlist.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.1d-default-cipherlist.patch
 
 	# Apply our CFLAGS
 	cd $(DIR_APP) && sed -i Configure \
diff --git a/src/patches/openssl-1.1.1c-default-cipherlist.patch b/src/patches/openssl-1.1.1c-default-cipherlist.patch
deleted file mode 100644
index 72f6ce3b1..000000000
--- a/src/patches/openssl-1.1.1c-default-cipherlist.patch
+++ /dev/null
@@ -1,18 +0,0 @@ 
-diff -Naur openssl-1.1.1c.orig/include/openssl/ssl.h openssl-1.1.1c/include/openssl/ssl.h
---- openssl-1.1.1c.orig/include/openssl/ssl.h	2019-06-10 20:41:21.209140012 +0200
-+++ openssl-1.1.1c/include/openssl/ssl.h	2019-06-10 20:42:26.733973129 +0200
-@@ -170,11 +170,11 @@
-  * an application-defined cipher list string starts with 'DEFAULT'.
-  * This applies to ciphersuites for TLSv1.2 and below.
-  */
--# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
-+# define SSL_DEFAULT_CIPHER_LIST "CHACHA20:HIGH:+aRSA:+SHA384:+SHA256:+DH:+SHA:+kRSA:!eNULL:!aNULL:!PSK:!SRP:!AESCCM:!DSS"
- /* This is the default set of TLSv1.3 ciphersuites */
- # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
--#  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
--                                   "TLS_CHACHA20_POLY1305_SHA256:" \
-+#  define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \
-+                                   "TLS_AES_256_GCM_SHA384:" \
-                                    "TLS_AES_128_GCM_SHA256"
- # else
- #  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
diff --git a/src/patches/openssl-1.1.1d-default-cipherlist.patch b/src/patches/openssl-1.1.1d-default-cipherlist.patch
new file mode 100644
index 000000000..5ad7829e7
--- /dev/null
+++ b/src/patches/openssl-1.1.1d-default-cipherlist.patch
@@ -0,0 +1,11 @@ 
+--- openssl-1.1.1d.orig/include/openssl/ssl.h	2019-11-04 19:13:08.801905796 +0100
++++ openssl-1.1.1d/include/openssl/ssl.h	2019-11-04 19:14:05.229896747 +0100
+@@ -170,7 +170,7 @@
+  * an application-defined cipher list string starts with 'DEFAULT'.
+  * This applies to ciphersuites for TLSv1.2 and below.
+  */
+-# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
++# define SSL_DEFAULT_CIPHER_LIST "HIGH:+aRSA:+SHA384:+SHA256:+DH:+SHA:+kRSA:!eNULL:!aNULL:!PSK:!SRP:!AESCCM:!DSS"
+ /* This is the default set of TLSv1.3 ciphersuites */
+ # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
+ #  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \