Add the ChaCha20 ciphers to the default cipher list. #415
Conversation
| @@ -39,6 +39,8 @@ func defaultCipherSuites() []uint16 { | |||
| tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, | |||
| tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, | |||
| tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | |||
| tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, | |||
There was a problem hiding this comment.
What is default for 1.8 if not configured at all? I think they put ChaCha first because of its performance gains, even over AES..
There was a problem hiding this comment.
Looks to be based on hardware: https://github.com/golang/go/blob/master/src/crypto/tls/common.go#L924
Shall we try to do the same?
There was a problem hiding this comment.
Not much luck there for us - looks like the hardware check belongs to an internal package.
There was a problem hiding this comment.
After some research, and given NATS usage patterns, it does look like the preference should be for supporting for smaller clients (chipsets without the AES-NI instruction set) right now. If someone wants to reorder preferences for GCM, they certainly can in our config. I can reorder these to place chacha first then... sound good?
|
Let's prefer ChaCha but allow them to override. |
| @@ -35,12 +35,12 @@ var cipherMap = map[string]uint16{ | |||
|
|
|||
| func defaultCipherSuites() []uint16 { | |||
| return []uint16{ | |||
| tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, | |||
| tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, | |||
There was a problem hiding this comment.
I think we should put ECDSA first..
No description provided.