[openssl-users] stronger Kex
Jeffrey Walton
noloader at gmail.com
Tue Dec 27 16:38:57 UTC 2016
> I have two servers for testing purpose :
> - debian 6, apache 2.2, openssl 1.0.1t (mutu)
> - centos 7, apache 2.4.6, openssl 1.0.1e-fips (dedicated)
>
> Now, these 2 serveurs offers only those ciphers :
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
>
> I have two goals. First, I would like to use at least secp384r1
> and second (no problem), use an ECC certificate.
>
> Is it possible to do it with CHACHA20-POLY1305 ?
> Is it possible to use this cipher on those servers ?
You need OpenSSL 1.1.0 or above for ChaCha20/Poly1305:
$ openssl version
OpenSSL 1.1.0b 26 Sep 2016
$ openssl ciphers | tr ':' '\n' | grep -i chacha
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
DHE-RSA-CHACHA20-POLY1305
RSA-PSK-CHACHA20-POLY1305
DHE-PSK-CHACHA20-POLY1305
ECDHE-PSK-CHACHA20-POLY1305
PSK-CHACHA20-POLY1305
Jeff
More information about the openssl-users
mailing list