Stitched vs non-Stitched Ciphersuites

Short, Todd tshort at
Tue Feb 26 15:44:35 UTC 2019

Thanks Matt,

So, just the cipher+MAC matter, the authentication/key-exchange are irrelevant.

What about AEAD ciphers? Are they considered "stitched"?

-Todd Short
// tshort at<mailto:tshort at>
// "One if by land, two if by sea, three if by the Internet."

On Feb 26, 2019, at 10:40 AM, Matt Caswell <matt at<mailto:matt at>> wrote:

On 26/02/2019 15:03, Short, Todd via openssl-users wrote:
The latest security advisory:

mentions stitched vs. non-stitched ciphersuites, but doesn’t really elaborate on
which ciphersuites are stitched and non-stitched.

The actual list in use is platform specific - the stitched ciphers are based on
asm implementations. Libssl in 1.0.2 knows about these stitched ciphers:

Any TLS ciphersuite based on the above ciphers will use the stitched
implementation if it is available on that platform.

So, for example, if a stitched implementation of AES-128-CBC-HMAC-SHA1 is
available on your platform then it will be used if you negotiate the AES128-SHA
ciphersuite (aka TLS_RSA_WITH_AES_128_CBC_SHA). Similarly it will be used if you
negotiate DH-RSA-AES128-SHA (aka TLS_DH_RSA_WITH_AES_128_CBC_SHA) The combined
encrypt and mac operation will be performed in one go by the stitched
implementation. If you don't have a stitched implementation then the encrypt and
mac operations are performed individually.


"In order for this to be exploitable "non-stitched" ciphersuites must be in
use. Stitched ciphersuites are optimised implementations of certain commonly
used ciphersuites."

Can someone give some examples of both?

-Todd Short
// tshort at <mailto:tshort at>
// "One if by land, two if by sea, three if by the Internet."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list