Update: Meanwhile you could also switch to the BoringSSL fork.
D. J. Bernstein’s ChaCha20-Poly1305 has not been merged into the OpenSSL master branch yet (ETA, anyone?). If you are curious to test it with nginx or any other application relying on the OpenSSL libraries with support for TLS 1.2, you can check it out via the 1.0.2-aead branch:
$ git clone https://github.com/openssl/openssl.git
$ cd openssl
$ git checkout 1.0.2-aeadThen follow the usual instruction from the INSTALL file on how to compile OpenSSL.
Almost hesitate to ask (and too pessimistic to poke around firsthand, tbh), but any updates on full support in OpenSSL’s master branch?
We tend to focus in our line of work on the sexier PFS-related primitives in terms of suite optimisation, but the relevance of other components is beyond any reasonable question.
Still, it hurts to see the slow-play & personally I tend to look the other way rather than risk another spin-up of frustration & disappointment.
Cheers,
~ pj
Hi pj,
They’re still working on the implementation…
https://mta.openssl.org/pipermail/openssl-dev/2015-January/000340.html
The implementation in 1.0.2-aead is apparantly outdated by the latest draft.
https://datatracker.ietf.org/doc/draft-irtf-cfrg-chacha20-poly1305/