Re: Disabling kEDH on webservers for scaling?

Thu, 26 Apr 2012 06:31:46 -0700 

Supplemental note:

The kEDH suites do a few extra cryptographic operations and
a few extra back-and-forth cryptographic operations for each
connection.  This is not usually a performance problem
(except that very short connections will feel the increased
traffic/load more in percent).

However 3 things could make kEDH suites slower than necessary
in some configurations:

1. If you use a hardware accelerated engine which only does
RSA, but not DH, then anything using other algorithms will
obviously be slower than RSA.

2. If you use a hardware accelerated engine which has slow
creation of temporary DH public keys (really a trivial
operation unless the hardware designer assumed this would
be a rare one-off operation).

3. If OpenSSL uses its strongest long-term-secrecy PRNG for
the ephemeral DH keys, it can run out of entropy really fast
unless you hook it up with a fast hardware RNG of some kind.

#3 (if present) would be a design mistake, as thousands of
such keys are needed in forward secrecy modes.

On 4/26/2012 1:32 PM, Richard Könning wrote:

Hello,
the kEDH set of cipher suites provide so called "perfect forward secrecy", for a description of this term see e.g. http://en.wikipedia.org/wiki/Perfect_forward_secrecy. 
Ciao,
Richard

Am 26.04.2012 13:23, schrieb Jack Bauer:

We are currently experiencing some scaling problems on our webservers
(nginx). They are terminating SSL connections and passing the requests
to backend servers.

After some testing, it appears that scaling is no problem, when the
kEDH cipher is disabled by passing !kEDH to openssl.

Can someone please explain, what disabling kEDH exactly means and tell
if there are any caveats concerning client/end-point security?

Thanks.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to