Re: Lowest encryption setting?

Joseph R. Junkin Thu, 20 Jan 2000 15:09:54 -0800
EKR wrote:
> 
> "Joseph R. Junkin" <[EMAIL PROTECTED]> writes:
> > I want to run a site with the lowest possible encryption for the highest
> > performance.
> Encryption and performance are not mutually opposed in the way
> you might think.

OK, but why not? I am quite new to this (still learning) and do not
understand why. I would assume that the system would work twice as hard
to generate 128 bit SSL compared to 56 bit SSL.

> In the case of symmetric ciphers, RC4 is by far the fastest
> and it's no slower in 128 bit mode than 40 bit mode. Thus,
> I'd advise you to use RC4-128.

OK, I followed the steps for a US installation which included RSA. Can I
still use RC4-128? Would the configuration be:
SLCipherSuite ALL:!ADH:RC4-RSA:-HIGH:-MEDIUM:+LOW:+SSLv2:+EXP
??

> 
> As far as asymmetric ciphers goes, RSA is substantially
> faster than DSA/DH. You control your RSA key length so you'll
> have to decide how large an RSA key to generate. 512 is
> known to be breakable by a dedicated effort using today's
> technology. I'd advise 768 bits as the minimum myself.

Well, I have already created my key and received my cert from thawte for
www.datafree.com
I assume that I used the default settings which would be 1024??

> 
> However, if you're talking to an export browser then you'll
> end up with 512 bits of security but it will be as slow
> as 768 bits because of ephemeral RSA mode. [0]

So are you telling me that 128 will be just as fast as 56 bit in this
case?

Bottom line, what is/are the setting(s) that will place the lowest
possible load on my server, assuming that I already have my certificate
(www.datafree.com)?
Is it:
SLCipherSuite ALL:!ADH:RC4-RSA:-HIGH:-MEDIUM:+LOW:+SSLv2:+EXP


Thanks for the response, I am having a difficult time understanding and
implementing these settings.


Joe Junkin
[EMAIL PROTECTED]
> 
> -Ekr
> 
> [0] Yes, I know that 512 bit ephemeral RSA isn't exactly
> the same security wise as 512 bit static, but they're
> close to a first order.
> 
> --
> [Eric Rescorla                                   [EMAIL PROTECTED]]
>           PureTLS - free SSLv3/TLS software for Java
>                 http://www.rtfm.com/puretls/
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
> User Support Mailing List                      [EMAIL PROTECTED]
> Automated List Manager                            [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
Re: Lowest encryption setting?

Reply via email to
