Intent to Ship: AES_256_GCM in TLS.

Skip to first unread message

David Benjamin

Mar 2, 2016, 5:48:03 PM3/2/16
to blink-dev, net-dev, security-dev,

Contact emails



We will be offering AES_256_GCM in TLS connections.


Historically, TLS had two AES ciphers based on CBC mode, AES_128_CBC and AES_256_CBC. But TLS’s CBC mode construction was flawed, making it fragile and very difficult to implement securely (for the current taxonomy, see BEAST, Lucky Thirteen, and POODLE). TLS 1.2 added new AES-based ciphers, AES_128_GCM and AES_256_GCM, whose constructions do not have this problem.

When we originally implemented TLS 1.2 in NSS, we only added AES_128_GCM and not AES_256_GCM. AES_256_GCM requires a SHA-384 PRF which NSS did not support. We also did not consider AES_256_GCM to be worth the performance cost.

Unfortunately, many popular server implementations order ciphers numerically first, placing AES_256_CBC above AES_128_GCM. Those servers will select the obsolete AES_256_CBC when connecting to Chromium-based browsers, rather than our preferred AES_128_GCM.

We do not agree with this ordering, but we propose to add AES_256_GCM so that these servers will select a modern cipher with Chromium-based browsers. This should also simplify TLS configurations for administrators concerned with maximizing key sizes. We expect this to increase our usage of AES-GCM over the legacy CBC-mode ciphers.

For servers that use the client-provided ordering, we will be inserting AES_256_GCM below AES_128_GCM for now. However, as always, servers are free to assert their own ordering should they wish to use AES_256_GCM over AES_128_GCM.

Interoperability and Compatibility Risk

Negligible. This is a mature specification and AES_256_GCM is advertised by the recent versions of Edge and Safari.

Ongoing technical constraints

Negligible. Now that we are using BoringSSL, we can freely use ciphers that need a SHA-384 PRF.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?


OWP launch tracking bug

Link to entry on the feature dashboard

Requesting approval to ship?


Chris Harrelson

Mar 2, 2016, 5:59:05 PM3/2/16
to David Benjamin, blink-dev, net-dev, security-dev,

You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to

Philip Jägenstedt

Mar 3, 2016, 1:27:36 AM3/3/16
to Chris Harrelson, David Benjamin, blink-dev, net-dev, security-dev,

Rick Byers

Mar 3, 2016, 7:14:46 AM3/3/16
to Philip Jägenstedt, David Benjamin, Chris Harrelson,, security-dev, net-dev, blink-dev


Reply all
Reply to author
0 new messages