[openssl-dev] Circumstances cause CBC often to be preferred over GCM modes
Hubert Kario
hkario at redhat.com
Tue Dec 16 14:14:13 UTC 2014
On Tuesday 16 December 2014 04:53:11 Viktor Dukhovni wrote:
> On Tue, Dec 16, 2014 at 04:23:24AM +0100, Hanno B?ck wrote:
> > > On Tue, Dec 16, 2014 at 02:18:40AM +0100, Hanno B?ck wrote:
> > > > Firefox and Chrome support authenticated encryption via TLS 1.2 and
> > > > GCM these days. However they have for some reason decided not to
> > > > support AES-256 but only AES-128.
> > >
> > > In which case, they will never use AES-256, and yet:
> > No, you understood that wrong: They decided to not support AES-256 for
> > CGM. For CBC they support both 128/256.
>
> In that case indeed many servers will choose CBC at 256 bits over
> GCM at 128. This is a browser configuration issue, and should be
> addressed there.
>
(...)
>
> The browsers need to fix their settings, but there are many competing
> factors here, and perhaps they have good reasons for the choices
> they made.
No, this is problem with OpenSSL cipher order - it prefers key size over other
factors - it should prefer AEAD and PFS ciphers before ordering on key size,
doubly so that in practice you can't get anywhere near 256 bit level of
security using TLS.
we've talked about this before
preferring AES-256 over AES-128 in Internet setting with Internet CAs just
burns cycles for nought
also, the reason why neither Firefox nor Chrome support AES-256-GCM is because
NSS doesn't support SHA-384 PFS for TLSv1.2 - it's not a case of "just
flipping a switch"
--
Regards,
Hubert Kario
More information about the openssl-dev
mailing list