<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<tt>I am curious about this statement that "(EC)DHE cost much more
resources than RSA". In particular, ECDHE is supposed to be less
computation-intensive than RSA for a given security level, so it
would be interesting to hear what your setup is where the reverse
is supposed to be observed.<br>
<br>
-Ben<br>
</tt><br>
<div class="moz-cite-prefix">On 09/26/2017 03:44 AM, 李明 wrote:<br>
</div>
<blockquote type="cite"
cite="mid:17db9aa9.af84.15ebd5be18e.Coremail.mid_li@163.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div
style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial">
<div>just find it, </div>
<div> server respect client's cipher preference by default, </div>
<div><span style="color: rgb(36, 39, 41); font-family: Arial,
"Helvetica Neue", Helvetica, sans-serif;
font-size: 15px;"> it selects the suite preferred by client
among the cipherlist that both the client and server
support.</span></div>
<div> so it's not enough to just increase RSA cipher priority on
server side , </div>
<div> <span style="color: rgb(36, 39, 41); font-family: Arial,
"Helvetica Neue", Helvetica, sans-serif;
font-size: 15px;">SSL_OP_CIPHER_SERVER_PREFERENCE will make
the server select the suite that itself most prefer among </span><span
style="color: rgb(36, 39, 41); font-family: Arial,
"Helvetica Neue", Helvetica, sans-serif;
font-size: 15px;">the cipherlist that both the client and
server support</span><span style="color: rgb(36, 39, 41);
font-family: Arial, "Helvetica Neue", Helvetica,
sans-serif; font-size: 15px;">.</span></div>
<br>
<br>
在 2017-09-26 15:15:10,"李明" <a class="moz-txt-link-rfc2396E" href="mailto:mid_li@163.com"><mid_li@163.com></a> 写道:<br>
<blockquote id="isReplyContent" style="PADDING-LEFT: 1ex;
MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div
style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial">
<div>Hello, </div>
<div> Currently, openssl prefer (EC)DHE handshakes over
plain RSA, but (EC)DHE cost much more resouces than RSA.</div>
<div> In order to get higher performance , I want to <span
style="color: rgb(67, 67, 67); font-family: Tahoma,
Arial, 宋体, "Malgun Gothic"; font-size: 12px;
line-height: 24px; background-color: rgb(242, 242,
242);"><span class="Apple-converted-space"> </span></span><span
id="blng_tran_14_6"
data-aligning="#blng_src_14_7,#blng_tran_14_6" class=""
style="margin: 0px; padding: 0px; border: 0px; outline:
0px; color: rgb(67, 67, 67); font-family: Tahoma, Arial,
宋体, "Malgun Gothic"; font-size: 12px;
line-height: 24px; background-color: rgb(242, 242,
242);">prioritize RSA related ciphers, does anyone knows
how to do it.</span></div>
<div><span data-aligning="#blng_src_14_7,#blng_tran_14_6"
class="" style="margin: 0px; padding: 0px; border: 0px;
outline: 0px; color: rgb(67, 67, 67); font-family:
Tahoma, Arial, 宋体, "Malgun Gothic"; font-size:
12px; line-height: 24px; background-color: rgb(242, 242,
242);"> </span></div>
<div><span data-aligning="#blng_src_14_7,#blng_tran_14_6"
class="" style="margin: 0px; padding: 0px; border: 0px;
outline: 0px; color: rgb(67, 67, 67); font-family:
Tahoma, Arial, 宋体, "Malgun Gothic"; font-size:
12px; line-height: 24px; background-color: rgb(242, 242,
242);"> I have tried cipherlist "</span><span
style="color: rgb(67, 67, 67); font-family: Tahoma,
Arial, 宋体, "Malgun Gothic"; font-size: 12px;">RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL</span><span
style="background-color: rgb(242, 242, 242); color:
rgb(67, 67, 67); font-family: Tahoma, Arial, 宋体,
"Malgun Gothic"; font-size: 12px;">" , it
looks fine in openssl command line</span></div>
<div><span data-aligning="#blng_src_14_7,#blng_tran_14_6"
class="" style="margin: 0px; padding: 0px; border: 0px;
outline: 0px; color: rgb(67, 67, 67); font-family:
Tahoma, Arial, 宋体, "Malgun Gothic"; font-size:
12px; line-height: 24px; background-color: rgb(242, 242,
242);"> </span><font color="#434343" face="Tahoma,
Arial, 宋体, Malgun Gothic"><span style="font-size: 12px;">./openssl
ciphers -v 'RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL' </span></font></div>
<div><font color="#434343" face="Tahoma, Arial, 宋体, Malgun
Gothic"><span style="font-size: 12px;">AES256-GCM-SHA384
TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256)
Mac=AEAD</span></font></div>
<div><font color="#434343" face="Tahoma, Arial, 宋体, Malgun
Gothic"><span style="font-size: 12px;">AES128-GCM-SHA256
TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128)
Mac=AEAD</span></font></div>
<div><font color="#434343" face="Tahoma, Arial, 宋体, Malgun
Gothic"><span style="font-size: 12px;">AES256-SHA256
TLSv1.2 Kx=RSA Au=RSA Enc=AES(256)
Mac=SHA256</span></font></div>
<div><font color="#434343" face="Tahoma, Arial, 宋体, Malgun
Gothic"><span style="font-size: 12px;">AES128-SHA256
TLSv1.2 Kx=RSA Au=RSA Enc=AES(128)
Mac=SHA256</span></font></div>
<div><font color="#434343" face="Tahoma, Arial, 宋体, Malgun
Gothic"><span style="font-size: 12px;">AES256-SHA
SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1</span></font></div>
<div><font color="#434343" face="Tahoma, Arial, 宋体, Malgun
Gothic"><span style="font-size: 12px;">AES128-SHA
SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1</span></font></div>
<div><font color="#434343" face="Tahoma, Arial, 宋体, Malgun
Gothic"><span style="font-size: 12px;">ECDHE-ECDSA-AES256-GCM-SHA384
TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD</span></font></div>
<div><font color="#434343" face="Tahoma, Arial, 宋体, Malgun
Gothic"><span style="font-size: 12px;"><br>
</span></font></div>
<div><font color="#434343" face="Tahoma, Arial, 宋体, Malgun
Gothic"><span style="font-size: 12px;"> but, after
SSL_CTX_set_cipher_list(ctx, "</span></font><span
style="color: rgb(67, 67, 67); font-family: Tahoma,
Arial, 宋体, "Malgun Gothic"; font-size: 12px;">RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL</span><span
style="font-size: 12px; color: rgb(67, 67, 67);
font-family: Tahoma, Arial, 宋体, "Malgun
Gothic";">") in my application, it didn't work,
the first choice is still </span><font color="#434343"
face="Tahoma, Arial, 宋体, Malgun Gothic"><span
style="font-size: 12px;">ECDHE-RSA-AES256-GCM-SHA384</span></font></div>
</div>
<br>
<br>
<span title="neteasefooter">
<div id="netease_mail_footer">
<div style="border-top:#CCC 1px solid;padding:10px
5px;font-size:17px;color:#777;line-height:22px"><a
href="https://urldefense.proofpoint.com/v2/url?u=http-3A__you.163.com_item_detail-3Fid-3D1183001-26from-3Dweb-5Fgg-5Fmail-5Fjiaobiao-5F7&d=DwMGbw&c=96ZbZZcaMF4w0F4jpN6LZg&r=sssDLkeEEBWNIXmTsdpw8TZ3tAJx-Job4p1unc7rOhM&m=9XG00YH-TXMwr5BatSDo3-aXkgX3OLfrVpmGTZ0_xNo&s=M0z8KXSefITjBOTAhSaDL6NOtaRRtRw4rhfNrLy0ziE&e="
target="_blank"
style="color:#3366FF;text-decoration:none"
moz-do-not-send="true">【网易自营】好吃到爆!鲜香弹滑加热即食,经典13香/麻辣小龙虾仅75元3斤>>
</a> </div>
</div>
</span></blockquote>
</div>
<br>
<br>
<span title="neteasefooter">
<div id="netease_mail_footer">
<div style="border-top:#CCC 1px solid;padding:10px
5px;font-size:17px;color:#777;line-height:22px"><a
href="https://urldefense.proofpoint.com/v2/url?u=http-3A__you.163.com_item_detail-3Fid-3D1165011-26from-3Dweb-5Fgg-5Fmail-5Fjiaobiao-5F9&d=DwMGbw&c=96ZbZZcaMF4w0F4jpN6LZg&r=sssDLkeEEBWNIXmTsdpw8TZ3tAJx-Job4p1unc7rOhM&m=9XG00YH-TXMwr5BatSDo3-aXkgX3OLfrVpmGTZ0_xNo&s=w4ccrgVoE_hEGBGShI5YNJOv3tVpODp2_IPVuDMOUJs&e="
target="_blank" style="color:#3366FF;text-decoration:none"
moz-do-not-send="true">【网易自营|30天无忧退货】仅售同款价1/4!MUJI制造商“2017秋冬舒适家居拖鞋系列”限时仅34.9元>>
</a> </div>
</div>
</span>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>