[openssl-dev] cipher order

Hanno Böck hanno at hboeck.de
Thu Mar 3 16:30:02 UTC 2016

On Thu, 03 Mar 2016 16:18:57 +0000
Emilia Käsper <emilia at openssl.org> wrote:

> https://github.com/openssl/openssl/pull/783

This is different from what I had in mind.

What this patch does is sort e.g. chacha/poly and aes256-gcm before
aes256-cbc. It does however not sort aes128-gcm before aes256-cbc.
(David Benjamin answered to me on the chrome security list that he
wanted to avoid arguing about this and chose the lesser controversial

I would argue that cbc/hmac is so fragile that it's always preferrable
to have aead before cbc/hmac. The security difference between 128 and
256 bit aes is imho mostly irrelevant in practice.

The difference between the two approaches may become mostly irrelevant
once all major browsers support at least one aead mode with 256 bit,
but I'm not sure if that's going to happen any time soon.

Hanno Böck

mail/jabber: hanno at hboeck.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160303/41cd7688/attachment.sig>

More information about the openssl-dev mailing list