Hey there, On Sunday 03 March 2002 07:22, MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1) wrote: > just iterating on point (a) mentioned by Geoff, if you force the > negotiation using RC4 (which I believe is forced by iPlanet), you should > see a substantial increase in the no. of connections handled.. The other > parameters (logging etc) does help, but not as much as (a)..
Yep, quite likely. > BTW, as a seperate question, why is RC4 not made the default crypto to be > used in mod_ssl ?. https (and thus modssl) exist to give strong security to the carriage of http data. If security wasn't an issue, you'd simply use http and have substantially better performance (CPU, network, caching, etc). So, it makes sense for the order of supported SSL/TLS cipher-suites, as exposed by the server anyway, to be based on security considerations rather than speed. I.E./Netscape etc don't support EDH cipher-suites, nor many other oddball ones for that matter, so this isn't a "problem". But, if the browser expresses support for them, it makes sense for the *default* (in lieu of any settings/overrides by the server-admin or browser-user) to be the most secure choice. EDH suites have Perfect Forward Secrecy, which from a security point of view is much better than other (faster) suites without that property. If speed is the issue, then that changes things - but the server shouldn't assume that focus for the user/admin by default - it is a *security* module after all. A benchmarking program for https support should make it clear in docs and/or command-line usage how it deals with cipher-suite selection. It makes a big difference to the type of security being used, and the CPU/bandwidth requirements of the SSL/TLS negotiation at either end (eg. consider the difference between DSA and RSA on the bias of workload between client and server!). Typically people only think about the speed, never give a moment's thought to the security (which is odd given they're installing https support), and don't even pay attention to which cipher suite is being used when *measuring* the speed. Read: a crap SSL/TLS server can fool you into thinking its better than a full-grade security module for apache with all the trimmings, simply because it refuses to support higher-grade security parameters from the outset. Security is not a rubber stamp - nor a padlock icon in the browser window. A server that thinks any cipher-suite is "good enough" *for* the admin rather than letting the admin specify that if it is so, is programmed/designed by anyone *except* the security savvy. Cheers, Geoff ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
