New issue
Advanced search Search tips

Issue 591516 link

Starred by 7 users
Status: Fixed
Owner:
davidben@chromium.org
Closed: Jun 2016
Cc:
awhalley@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Launch-OWP
Launch-Accessibility: ----
Launch-Exp-Leadership: ----
Launch-Leadership: ----
Launch-Legal: ----
Launch-M-Approved: ----
Launch-M-Target: ----
Launch-Privacy: ----
Launch-Security: ----
Launch-Test: ----
Launch-UI: ----
Rollout-Type: ----



Sign in to add a comment

Enable AES_256_GCM in TLS.

Project Member Reported by davidben@chromium.org, Mar 2 2016 
(See http://www.chromium.org/blink#launch-process for an overview)

Change description:
Enable AES_256_GCM to account for AES_256_GCM > AES_256_CBC > AES_128_GCM > AES_128_CBC being a common server configuration. (CBC-mode ciphers in TLS are fragile. AES-GCM is good.)

Changes to API surface:
Chrome's ClientHello will offer ECDHE_RSA_WITH_AES_256_GCM_SHA384, ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, and RSA_WITH_AES_256_GCM_SHA384.

Links:
Public standards discussion: https://tools.ietf.org/html/rfc5246

Support in other browsers:
Internet Explorer: Yes https://www.ssllabs.com/ssltest/viewClient.html?name=Edge&version=13&platform=Win%2010
Firefox: No https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox&version=42&platform=OS%20X
Safari: Yes https://www.ssllabs.com/ssltest/viewClient.html?name=Safari&version=9&platform=OS%20X%2010.11

*Make sure to fill in any labels with a -?, including all OSes this change
affects. Feel free to leave other labels at the defaults.
Project Member

Comment 2 by bugdroid1@chromium.org, Mar 4 2016 

The following revision refers to this bug:
  https://boringssl.googlesource.com/boringssl.git/+/433366587d6156c9660cc87a843e9dcef1a58917

commit 433366587d6156c9660cc87a843e9dcef1a58917
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 03 20:32:29 2016

Move AES128 above AES256 by default.

This is in preparation for adding AES_256_GCM in Chromium below AES_128_GCM.
For now, AES_128_GCM is preferable over AES_256_GCM for performance reasons.

While I'm here, swap the order of 3DES and RC4. Chromium has already disabled
RC4, but the default order should probably reflect that until we can delete it
altogether.

BUG= 591516 

Change-Id: I1b4df0c0b7897930be726fb8321cee59b5d93a6d
Reviewed-on: https://boringssl-review.googlesource.com/7296
Reviewed-by: Adam Langley <agl@google.com>

[modify] https://crrev.com/433366587d6156c9660cc87a843e9dcef1a58917/ssl/ssl_cipher.c
Project Member

Comment 3 by bugdroid1@chromium.org, Mar 11 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b3c2d9730fd1d023b648aa745a2afca569bf9933

commit b3c2d9730fd1d023b648aa745a2afca569bf9933
Author: davidben <davidben@chromium.org>
Date: Fri Mar 11 22:36:17 2016

Enable AES_256_GCM ciphers.

This results in the following cipher suite order:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 [not offered in initial handshake]
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA [not offered in initial handshake]
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA [not offered in initial handshake]
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

I've intentionally excluded DHE_RSA_WITH_AES_256_GCM_SHA384 because we intend
to remove DHE ciphers later.

BUG= 591516 

Review URL: https://codereview.chromium.org/1769393002

Cr-Commit-Position: refs/heads/master@{#380761}

[modify] https://crrev.com/b3c2d9730fd1d023b648aa745a2afca569bf9933/net/socket/ssl_client_socket_openssl.cc
[modify] https://crrev.com/b3c2d9730fd1d023b648aa745a2afca569bf9933/net/ssl/ssl_config.h

Comment 4 by daniel.m...@gmail.com, Mar 14 2016 

I think it's a good idea that Chrome is introducing support for AES_256_GCM. But than support for secp521r1 that was dropped in Chrome 42 should probably also be reintroduced for ECDHE to provide equivalent security for the 256-bit encryption? See here:
https://web.archive.org/web/20150627183730/https://www.nsa.gov/business/programs/elliptic_curve.shtml

But I'm no crypto expert, just some input.

Comment 5 by davidben@chromium.org, Mar 14 2016 

Please see  issue #477623 .

Comment 6 by davidben@chromium.org, May 3 2016

Cc: davidben@chromium.org
 Issue 608887  has been merged into this issue.

Comment 7 by davidben@chromium.org, Jun 9 2016

Cc: -davidben@chromium.org awhalley@chromium.org
+awhalley, how does the launch process work? Were we supposed to close this at some point?

Comment 8 by awhalley@chromium.org, Jun 10 2016

Status: Fixed (was: Assigned)

Sign in to add a comment