On Tuesday 17 May 2005 04:33, Gervase Markham wrote:
> Would that have much effect on server computational load, or is the
> encryption and decryption not where most of the cycles go?
On a modern machine, the secret key encryption isn't
really noticed. Public key operations chew up more time
and both tend to be dominated by php, etc in bigger sites.
Still, once the connection is started up, there is that
constant minor drain. I imagine if you can run hundreds
or thousands of sessions you might notice the drain for
encryption.
If you wanted to reduce server load, turn off all DES and
triple DES, and use AES (any length although experiment)
or RC4. Also, use a 512 bit RSA key instead of a 1024
bit key.
In the Vhosts file in apache2, there is a variable called
SSLCipherSuite which allows you to prioritise the choice
of algorithms. Here's what I use right now:
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!SSLv2:!EXPORT:!NULL:!LOW
http://apache2docs.paradoxical.co.uk/mod/mod_ssl.html.en#sslciphersuite
This command will tell you what cipher suites that string gives you:
openssl ciphers -v ALL:!ADH:!SSLv2:!EXPORT:!NULL:!LOW
And this command will show all the algorithms over a range
of block sizes. For example, I see aes-128 doing 22669 blocks
of 8k size in 3 seconds. That's 60 MB per second so I imagine
bandwidth limits will kick in well before that becomes an issue.
openssl speed
Caveats - I've only been playing around with this for a few
hours...
iang
--
http://iang.org/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
