Bug 3194

Summary: Please consider lowering chacha20-poly1305@openssh.com cipher priority on AES-NI capable CPU
Product: Portable OpenSSH Reporter: Fabio <fabio.pedretti>
Component: MiscellaneousAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: enhancement CC: djm
Priority: P5    
Version: 8.3p1   
Hardware: amd64   
OS: Linux   

Description Fabio 2020-07-19 03:33:48 AEST 
Even in 8.3p1 (using libcrypto) chacha20-poly1305@openssh.com is a lot slower than aes ciphers on AES-NI capable hardware.

aes128-gcm@openssh.com is 23% faster on Xeon Westmere (the first Intel CPU with AES-NI) and 47% faster on Kaby Lake.

On Kaby Lake:

aes128-gcm@openssh.com        : 540MB/s
aes256-gcm@openssh.com        : 535MB/s

aes128-ctr                    : 445MB/s
aes192-ctr                    : 446MB/s
aes256-ctr                    : 436MB/s

chacha20-poly1305@openssh.com : 364MB/s

Please consider making aes128-gcm@openssh.com the default.
Comment 1 Damien Miller 2020-07-20 14:10:41 AEST 
We don't plan on reordering ciphers based on local platform capabilities. We do offer the =^ trick to make it easy for users to do so. E.g.

Ciphers ^aes256-gcm@openssh.com,aes128-gcm@openssh.com 

Will move those two ciphers to the head of the list.
Comment 2 Damien Miller 2021-04-23 15:04:36 AEST 
closing resolved bugs as of 8.6p1 release