Feature #9896
closed
Add poly1305-chacha20 to the TLSv1.2 cipher list in nginx
Added by Viktor Gurov about 5 years ago.
Updated almost 5 years ago.
Description
as part of NGE
https://tools.ietf.org/html/rfc7905
test result (nmap):
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 4096) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 4096) - A
| TLS_DHE_RSA_WITH_AES_256_CCM (dh 4096) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 4096) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 4096) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
https://github.com/pfsense/pfsense/pull/4112
- Status changed from New to Pull Request Review
- Assignee set to Jim Pingle
- Target version set to 2.5.0
Actually this appears to be unnecessary. It's already enabled by default for TLS 1.3, but that scanner (nmap ssl-enum-ciphers) does not yet support TLS 1.3
Try with testssl.sh
Testing server preferences
Has server cipher order? yes (OK)
Negotiated protocol TLSv1.3
Negotiated cipher TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
Cipher order
TLSv1.2: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA DHE-RSA-AES256-CCM8 DHE-RSA-AES256-CCM DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA
TLSv1.3: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256
The PR could still add it for TLS 1.2, but I am not sure it's worth adding at this stage since TLS 1.3 should be used.
Jim Pingle wrote:
Actually this appears to be unnecessary. It's already enabled by default for TLS 1.3, but that scanner (nmap ssl-enum-ciphers) does not yet support TLS 1.3
I know it, and did the test with sslyze also
This PR is to support full-range of NGE algorithms in TLSv1.2
- Subject changed from add poly1305-chacha20 to the nginx cipher list of WebGUI to Add poly1305-chacha20 to the TLSv1.2 cipher list in nginx
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
PR has been merged. Thanks
Renato Botelho wrote:
PR has been merged. Thanks
Tested on pfSense 2.5.0.a.20191126.1832
PORT STATE SERVICE VERSION
443/tcp open ssl/http nginx
|_http-server-header: nginx
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 4096) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 4096) - A
| TLS_DHE_RSA_WITH_AES_256_CCM (dh 4096) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 4096) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 4096) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Resolved
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
Updated by 
Updated by Viktor Gurov 
Updated by