It really makes you wonder how OpenSSH without OpenSSL has a fallback with so much better crypto than what OpenSSL offers.
Note that chacha20+poly1305 is slower than AES-NI + CLMUL-accelerated GCM on Intel chips…
Don’t get me wrong, I love djb, but I’m not sure this is the wisest default, especially if you find yourself scping large files around frequently.
IME chacha20+poly1305 is the fastest of the default 6.8 ciphers on non-AES (i.e old, or embedded) hardware. Of course, choosing a different cipher on the command line is trivial, and adding more to the server config for internal use (arcfour128) is also pretty easy.
AES-NI and CLMULM have been in Intel chips since ~2010 (Westmere) and AMD chips since ~2011 (Bulldozer). For server software, at least, they’re nearly ubiquitous.
Unless your servers are virtualized and don’t have AES-NI exposed, which until recently was all of AWS.
Well, using older chips is normal, but you can’t use older AWS; it’s not available. At the moment, all of AWS supports AES-NI.