On Wed, 10 Jun 2020 at 15:28, Rob van der Heij <[email protected]> wrote:
> On Wed, 10 Jun 2020 at 14:55, Peter Webb, Toronto Transit Commission < > [email protected]> wrote: > >> Hi Rob, >> >> Could you please point me to a list of the cipher suites with CPACF >> support? >> > > If you're current on openssl in Linux, just stick with the AES ciphers > like aes256-ctr. Since the later openssl had built-in CPACF instructions, > it's not easy to see anymore with the crypto engine etc. It's been ages > since I looked at that... I think "ssh -Q cipher" shows the list your > client tries; the server has a list as well, so you can talk sense into > this from either side. > > The problem we had was the Linux PC folks had googled for the "fastest > encryption in ssh" and decided to use arcfour or blowfish. Or their focus > may be on the "most secure" cipher suite. Obviously it does not matter when > your typing or reading is the bottleneck, but it does count when you're > moving ISO images over the network. > Old habits... just because I was curious, I did a quick check on my Linux guest. This is 1 GB and I trimmed all but the "user" time from the output, as that's where you see the cycles for the sending side (the receiving end consumes the same amount in the sshd child process) [rvdheij@lnxrmh01 ~]$ time dd if=/dev/zero bs=1M count=1024 status=none | ssh -c aes256-ctr 127.0.0.1 wc --bytes user 0m0.771s [rvdheij@lnxrmh01 ~]$ time dd if=/dev/zero bs=1M count=1024 status=none | ssh -c [email protected] 127.0.0.1 wc --bytes user 0m0.262s [rvdheij@lnxrmh01 ~]$ time dd if=/dev/zero bs=1M count=1024 status=none | ssh -c [email protected] 127.0.0.1 wc --bytes user 0m3.904s So you use "ssh -Q cipher" to see what your client knows about, and if you pick one that the server does not support, ssh will list the ones that it knows about :-) In my case the first one they have in common is aes256-gcm (which appears to be better than aes256-ctr and an order of magnitude less than some fancy software cipher for this simple case). Blast from the past: https://zvmperf.wordpress.com/2013/09/29/secret-key-performance/ (from the z12 days) Rob ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390
