Opened 5 years ago

Closed 5 years ago

#8760 enhancement closed fixed (fixed)

Support ChaCha20 ciphers.

Reported by: Cory Benfield Owned by: Cory Benfield
Priority: normal Milestone:
Component: core Keywords:
Cc: Branch: 8760-lukasa-chacha20
branch-diff, diff-cov, branch-cov, buildbot


ChaCha20 is coming in OpenSSL 1.1.0, and it's generally pretty excellent. OpenSSL kindly ignores requests for ciphers that it doesn't support, so we can unconditionally update our code to request ChaCha20 and expect OpenSSL to just quietly ignore the change when it doesn't know what ChaCha is.

This change has us prefer AES-GCM over ChaCha20. This decision is made mostly because newer processors have AES-NI hardware acceleration instructions, and right now we're not in a good place to query whether or not those instructions are present, so we just assume that they are. However, CPython issue 27766 (, in addition to making this change, also provides a private function that could be queried for AES-NI support. We may want to wait until CPython 3.6 drops to see if that function makes it in, because we could use it to be smarter about our cipher string.

However, I think we should merge this anyway. It's a strict improvement over what we already have.

Change History (4)

comment:1 Changed 5 years ago by Cory Benfield <lukasaoz@…>

In 6a214b8:

Add topfile for #8760

comment:2 Changed 5 years ago by Cory Benfield

Branch: 8760-lukasa-chacha20
Keywords: review added

PR for this is available here:

comment:3 Changed 5 years ago by Adi Roiban

Keywords: review removed
Owner: set to Cory Benfield

Changes looks good. Only a minor comment regarding the release notes.

Please check my commend and merge at will... as long as the test pass :)


comment:4 Changed 5 years ago by Cory Benfield <lukasaoz@…>

Resolution: fixed
Status: newclosed

In 833abfd:

Merge 8760-lukasa-chacha20: Add support for ChaCha20.

Author: Lukasa
Reviewer: adiroiban
Fixes: #8760

Note: See TracTickets for help on using tickets.