Opened 5 years ago
Closed 5 years ago
#8760 enhancement closed fixed (fixed)
Support ChaCha20 ciphers.
| Reported by: | Cory Benfield | Owned by: | Cory Benfield |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | core | Keywords: | |
| Cc: | Branch: |
8760-lukasa-chacha20
branch-diff, diff-cov, branch-cov, buildbot |
|
| Author: |
Description
ChaCha20 is coming in OpenSSL 1.1.0, and it's generally pretty excellent. OpenSSL kindly ignores requests for ciphers that it doesn't support, so we can unconditionally update our code to request ChaCha20 and expect OpenSSL to just quietly ignore the change when it doesn't know what ChaCha is.
This change has us prefer AES-GCM over ChaCha20. This decision is made mostly because newer processors have AES-NI hardware acceleration instructions, and right now we're not in a good place to query whether or not those instructions are present, so we just assume that they are. However, CPython issue 27766 (https://bugs.python.org/issue27766), in addition to making this change, also provides a private function that could be queried for AES-NI support. We may want to wait until CPython 3.6 drops to see if that function makes it in, because we could use it to be smarter about our cipher string.
However, I think we should merge this anyway. It's a strict improvement over what we already have.
Change History (4)
comment:1 Changed 5 years ago by
comment:2 Changed 5 years ago by
| Branch: | → 8760-lukasa-chacha20 |
|---|---|
| Keywords: | review added |
PR for this is available here: https://github.com/twisted/twisted/pull/499
comment:3 Changed 5 years ago by
| Keywords: | review removed |
|---|---|
| Owner: | set to Cory Benfield |
Changes looks good. Only a minor comment regarding the release notes.
Please check my commend and merge at will... as long as the test pass :)
Thanks!
In 6a214b8: