[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #4008 [Tor Relay]: Identify safe, common, useful openssl engines to enable by default
#4008: Identify safe, common, useful openssl engines to enable by default
-----------------------------+----------------------------------------------
Reporter: nickm | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Tor: unspecified
Component: Tor Relay | Version:
Keywords: crypto, openssl | Parent:
Points: | Actualpoints:
-----------------------------+----------------------------------------------
Ever since f0d4b3d1 (svn revision r5829) , all of our crypto acceleration
is off by default, since we can't trust any given openssl engine to be
secure, stable, and to run without crashing.
We should identify engines which it would be safe and useful to turn on by
default, and have them be on-by-default. IMO the criteria should be:
* It needs to be pretty common for a user to have the requisite hardware
but not know about it. IOW, anybody who has bought a special-purpose
board can configure it themselves, but people with CPU or chipset support
for acceleration are likely not to have thought about it.
* It needs to be really stable.
* It needs to be pretty well distributed.
* It needs to be using a recent version of openssl.
* It needs to make an actual improvement to Tor's performance or
security.
* We need to be able to test it.
Good candidates to look at for a start IMO are aes-ni instructions.
We'll also maybe need a UI change to let people disable default engines
and add extra ones.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4008>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs