Re: [openssl-users] How to increase the priority of some cipher ?

2017-09-26 Thread 李明
sorry, write by mistake TLSv1.2,AES256-GCM-SHA384 : the server can handle more than 1500 requests per second(cpu : 99%)。 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 : the server can ONLY handle less then 1400 requests per second(cpu :99%)。 At 2017-09-27 08:52:01, "李明" wrote:

Re: [openssl-users] How to increase the priority of some cipher ?

2017-09-26 Thread 李明
The environment is quite simple,client use apachebench to test the performance of a https server the apachebench command is like this: ab -c 500 -n 100 https://xx.xx.xx.xx/ TLSv1.2,AES256-GCM-SHA384 : the server can handle more than 1500 requests per second(cpu : 99%)。 TLSv1.2

Re: [openssl-users] How to increase the priority of some cipher ?

2017-09-26 Thread Jakob Bohm
Obviously, the DH Ephemeral ciphersuites consist of a (sometimes fast) DH step PLUS an RSA or ECDSA step to confirm the identity of the server, while the slightly less secure RSA suites only do the RSA step.  DH+ECDSA requires an ECDSA certificate, which won't work for clients that require RSA

Re: [openssl-users] How to increase the priority of some cipher ?

2017-09-26 Thread Benjamin Kaduk via openssl-users
I am curious about this statement that "(EC)DHE cost much more resources than RSA".  In particular, ECDHE is supposed to be less computation-intensive than RSA for a given security level, so it would be interesting to hear what your setup is where the reverse is supposed to be observed. -Ben On

Re: [openssl-users] How to increase the priority of some cipher ?

2017-09-26 Thread 李明
just find it, server respect client's cipher preference by default, it selects the suite preferred by client among the cipherlist that both the client and server support. so it's not enough to just increase RSA cipher priority on server side , SSL_OP_CIPHER_SERVER_PREFERENCE will make

[openssl-users] How to increase the priority of some cipher ?

2017-09-26 Thread 李明
Hello, Currently, openssl prefer (EC)DHE handshakes over plain RSA, but (EC)DHE cost much more resouces than RSA. In order to get higher performance , I want to prioritize RSA related ciphers, does anyone knows how to do it. I have tried cipherlist