OpenSSL patch for CHACHA cipher support in OpenSSL 1.0.2

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL patch for CHACHA cipher support in OpenSSL 1.0.2

OpenSSL - User mailing list

Hi OpenSSL team,

 

I am Srivalli Kuppa. I have a couple of questions regarding support of CHACHA and Poly1305 cipher suites with OpenSSL.

 

  1. Do we have a stable OpenSSL patch that can be applied to OpenSSL 1.0.2 version to support CHACHA cipher both as a server/client?
  2. Can CHACHA+Poly1305 ciphers be used with TLSv1.2 today with different browsers (Chrome/Firefox etc.,)?

 

Thanks.

Srivalli

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL patch for CHACHA cipher support in OpenSSL 1.0.2

Matt Caswell-2


On 11/06/18 16:44, Srivalli Kuppa (srikuppa) via openssl-users wrote:
>  1. Do we have a stable OpenSSL patch that can be applied to OpenSSL
>     1.0.2 version to support CHACHA cipher both as a server/client?

No. Chacha/Poly1305 support is only available from version 1.1.0 upwards.

>  2. Can CHACHA+Poly1305 ciphers be used with TLSv1.2 today with
>     different browsers (Chrome/Firefox etc.,)?

Yes.

Matt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL patch for CHACHA cipher support in OpenSSL 1.0.2

OpenSSL - User mailing list
Thanks Matt. Appreciate your answers.

Just curious, is there a possibility to patch CHACHA cipher specific changes to OpenSSL 1.0.2 version still and get SSL handshake succeed?

I am not looking for an upgrade to OpenSSL 1.1.0 at this point. So, I am interested to know if I can get CHACHA to working with OpenSSL 1.0.2.

Thanks for your time.

-Srivalli

On 6/11/18, 11:59 AM, "openssl-users on behalf of Matt Caswell" <[hidden email] on behalf of [hidden email]> wrote:

   
   
    On 11/06/18 16:44, Srivalli Kuppa (srikuppa) via openssl-users wrote:
    >  1. Do we have a stable OpenSSL patch that can be applied to OpenSSL
    >     1.0.2 version to support CHACHA cipher both as a server/client?
   
    No. Chacha/Poly1305 support is only available from version 1.1.0 upwards.
   
    >  2. Can CHACHA+Poly1305 ciphers be used with TLSv1.2 today with
    >     different browsers (Chrome/Firefox etc.,)?
   
    Yes.
   
    Matt
   
    --
    openssl-users mailing list
    To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
   

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL patch for CHACHA cipher support in OpenSSL 1.0.2

OpenSSL - User mailing list
>    Just curious, is there a possibility to patch CHACHA cipher specific changes to OpenSSL 1.0.2 version still and get SSL handshake succeed?
 
It can be done; CloudFlare posted some patches at https://github.com/cloudflare/sslconfig/tree/master/patches but I think they used the pre-IETF version and so might need some tweaks.  The OpenSSL project won't do it (we don't add features to existing releases).

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL patch for CHACHA cipher support in OpenSSL 1.0.2

OpenSSL - User mailing list
Interesting. Yes, I did take a look at Cloudflare patch but wasn't sure if I could use that.
Alright. This helps.

My only option is to upgrade to OpenSSL 1.1.0 in order to support CHACHA+Poly1305 cipher support.

Thanks Rich.
-Srivalli


On 6/11/18, 1:40 PM, "Salz, Rich" <[hidden email]> wrote:

    >    Just curious, is there a possibility to patch CHACHA cipher specific changes to OpenSSL 1.0.2 version still and get SSL handshake succeed?
     
    It can be done; CloudFlare posted some patches at https://github.com/cloudflare/sslconfig/tree/master/patches but I think they used the pre-IETF version and so might need some tweaks.  The OpenSSL project won't do it (we don't add features to existing releases).
   
   

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users