[PATCH] Enable SSL_OP_PRIORITIZE_CHACHA for server-side SSL contexts

Pascal Ernster nginx-devel at hardfalcon.net
Sat May 4 00:07:44 UTC 2019


# HG changeset patch
# User Pascal Ernster <nginx-devel at hardfalcon.net>
# Date 1556927912 -7200
#      Sat May 04 01:58:32 2019 +0200
# Node ID 9560af6ada8f395a3b01c66e6846fa7ebd41729d
# Parent  16a1adadf43751f59257ba419f6bacd530dd19d3
Enable SSL_OP_PRIORITIZE_CHACHA for server-side SSL contexts.

Available since OpenSSL 1.1.1, this prioritizes ChaCha ciphers when the client has a ChaCha20 cipher at the top of its preference list, indicating that the client does not have hardware acceleration for AES. The result is much better performance on devices like low-end Android smartphones or embedded hardware running OpenWRT.

diff -r 16a1adadf437 -r 9560af6ada8f src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Wed Apr 24 16:38:56 2019 +0300
+++ b/src/event/ngx_event_openssl.c	Sat May 04 01:58:32 2019 +0200
@@ -380,6 +380,10 @@
     SSL_CTX_set_mode(ssl->ctx, SSL_MODE_NO_AUTO_CHAIN);
 #endif
 
+#ifdef SSL_OP_PRIORITIZE_CHACHA
+    SSL_CTX_set_options(ssl->ctx, SSL_OP_PRIORITIZE_CHACHA);
+#endif
+
     SSL_CTX_set_read_ahead(ssl->ctx, 1);
 
     SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);


More information about the nginx-devel mailing list