Use of boringssl equal-preference cipher groups with nginx

Alex alex at zeitgeist.se
Mon Aug 18 07:17:59 UTC 2014


Hi,

I have successfully compiled nginx/1.7.4 with boringssl. One thing I am 
not sure if it's possible already is to take advantage of 
equal-preference cipher groups that Boringssl supports. For reference:

https://www.imperialviolet.org/2014/02/27/tlssymmetriccrypto.html

https://boringssl.googlesource.com/boringssl/+/858a88daf27975f67d9f63e18f95645be2886bfb%5E!/

"... new concept of an equal-preference group: a set of cipher suites in 
the server's preference order which are all “equally good”. When 
choosing a cipher suite using the server preferences, the server finds 
its most preferable cipher suite that the client also supports and, if 
that is in an equal preference group, picks whichever member of the 
group is the client's most preferable. For example, Google servers have 
a cipher suite preference that includes AES-GCM and ChaCha20-Poly1305 
cipher suites in an equal preference group at the top of the preference 
list. So if the client supports any cipher suite in that group, then the 
server will pick whichever was most preferable for the client."

Would this already work with nginx' ssl_ciphers parameter or would nginx 
require further patching to support such grouping parameter?

Alex



More information about the nginx mailing list