Re: [openssl-users] How to increase the priority of some cipher ?

[李明]

The environment is quite simple，client use apachebench to  test the performance 
of a https server
the apachebench command is like this： ab -c 500 -n 1000000 https://xx.xx.xx.xx/
TLSv1.2,AES256-GCM-SHA384  ： the server can handle more than 1500 requests per 
second（cpu ： 99%）。
TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 :  the server can ONLY handle 500 requests 
per second（cpu ：99%）。




At 2017-09-27 00:58:43, "Benjamin Kaduk" <bka...@akamai.com> wrote:
I am curious about this statement that "(EC)DHE cost much more resources than 
RSA".  In particular, ECDHE is supposed to be less computation-intensive than 
RSA for a given security level, so it would be interesting to hear what your 
setup is where the reverse is supposed to be observed.

-Ben


On 09/26/2017 03:44 AM, 李明 wrote:

just find it, 
 server respect client's cipher preference  by default,  
 it selects the suite preferred by client among the cipherlist that both the 
client and server support.
 so it's not enough to just increase RSA cipher priority on server side ,  
 SSL_OP_CIPHER_SERVER_PREFERENCE will make the server select the suite that 
itself most prefer among the cipherlist that both the client and server support.


在 2017-09-26 15:15:10，"李明" <mid...@163.com> 写道：

Hello, 
   Currently, openssl prefer (EC)DHE handshakes over plain RSA, but (EC)DHE 
cost much more resouces than RSA.
   In order to get higher performance , I want to  prioritize RSA related 
ciphers, does anyone knows how to do it.
   
   I have tried cipherlist "RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL" , it looks 
fine in openssl command line
   ./openssl ciphers -v 'RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL' 
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) 
Mac=AEAD


 but, after SSL_CTX_set_cipher_list(ctx, "RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL") 
 in my application, it didn't work, the first choice is still 
ECDHE-RSA-AES256-GCM-SHA384



【网易自营】好吃到爆！鲜香弹滑加热即食，经典13香/麻辣小龙虾仅75元3斤>>      



【网易自营|30天无忧退货】仅售同款价1/4！MUJI制造商“2017秋冬舒适家居拖鞋系列”限时仅34.9元>>      




-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users