Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#2267 - downloads.openwrt.org: Upgrade from Debian 8 to 9, offer ChaCha20 TLS ciphersuites #8538

Closed
openwrt-bot opened this issue May 4, 2019 · 1 comment
Labels

Comments

@openwrt-bot
Copy link

hardfalcon:

The webserver on downloads.openwrt.org currently only offers AES, Camellia and 3DES ciphersuites for HTTPS connections, since the server is running Debian 8, nginx 1.6.2 and OpenSSL 1.0.1t.

An upgrade to Debian 9 with nginx 1.10.3 and OpenSSL 1.1.0j would be appreciated since this would enable the webserver to offer ChaCha20 ciphersuites, which offer a huge performance increase for embedded devices without AES-NI or similar hardware acceleration for AES.

@openwrt-bot
Copy link
Author

hardfalcon:

The server seems to have been updated to Debian 9 in the meantime and is thus currently running nginx 1.10.3 with OpenSSL 1.1.0. This software stack supports Chacha20 ciphersuites, it just needs to be configured accordingly.

Unfortunately, the webserver seems still to be using the old, manually configurated "ssl_ciphers" configuration which lacks support for Chacha20 ciphersuites. My suggestion would be to use the configuration from here:

https://ssl-config.mozilla.org/#server=nginx&server-version=1.10.3&config=intermediate&openssl-version=1.1.0l%20

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant