Forum: NGINX Use of boringssl equal-preference cipher groups with nginx

2bec6eb17875ba7b3ea4b8c5cbfb0234?d=identicon&s=25 Alex (Guest)
on 2014-08-18 09:18
(Received via mailing list)
Hi,

I have successfully compiled nginx/1.7.4 with boringssl. One thing I am
not sure if it's possible already is to take advantage of
equal-preference cipher groups that Boringssl supports. For reference:

https://www.imperialviolet.org/2014/02/27/tlssymme...

https://boringssl.googlesource.com/boringssl/+/858...

"... new concept of an equal-preference group: a set of cipher suites in
the server's preference order which are all “equally good”. When
choosing a cipher suite using the server preferences, the server finds
its most preferable cipher suite that the client also supports and, if
that is in an equal preference group, picks whichever member of the
group is the client's most preferable. For example, Google servers have
a cipher suite preference that includes AES-GCM and ChaCha20-Poly1305
cipher suites in an equal preference group at the top of the preference
list. So if the client supports any cipher suite in that group, then the
server will pick whichever was most preferable for the client."

Would this already work with nginx' ssl_ciphers parameter or would nginx
require further patching to support such grouping parameter?

Alex
2bec6eb17875ba7b3ea4b8c5cbfb0234?d=identicon&s=25 Alex (Guest)
on 2014-08-23 20:38
(Received via mailing list)
Hi again,

On 2014-08-18 09:17, Alex wrote:
> Hi,
>
> I have successfully compiled nginx/1.7.4 with boringssl. One thing I
> am not sure if it's possible already is to take advantage of
> equal-preference cipher groups that Boringssl supports.
>
> [...]
>
> Would this already work with nginx' ssl_ciphers parameter or would
> nginx require further patching to support such grouping parameter?

I feel kinda stupid that I didn't figure it out earlier. Of course it's
possible out of the box with nginx/boringssl. I made a small writeup
here:

https://www.zeitgeist.se/2014/08/23/we-like-aes-an...

Basically, you group ciphers in the ciphers list like this:
[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]

Best,
Alex
2974d09ac2541e892966b762aad84943?d=identicon&s=25 George (Guest)
on 2014-08-24 00:38
(Received via mailing list)
thanks Alex so what's the updated way to compile Nginx against BoringSSL
?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,252640,252779#msg-252779
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.