Salz, Rich wrote: > > I generally agree, though we just added one small exception to NSS, and > > have been discussing another for a while now: Respecting client preference > > for ChaCha over GCM makes a real difference for clients that don't have AES- > > NI. > > Yes, a number of net companies do this (Google, CloudFlare, Akamai and no > doubt others). OpenSSL will support something like this in a future release > (boringSSL has "equivalence classes" but the syntax and limitations aren't > great). > > But it doesn't matter -- it's still the server choosing what to do :)
For all TLS protocol parameters where the client presents a list and the server selects one element from that list, it is a server-local (policy) decision which one element it chooses. Describing the order of elements in such lists as "client preference order" has led to numerous bogus server implementations, which erroneously default to "do what the client proposes", rather than "do what the server admin has configured". Out-of-curiosity, is the ChaCha-over-GCM to be configurable for the server admin, or is it hidden black magic? -Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
