[openssl-users] OpenSSL performance issue
Dr. Stephen Henson
steve at openssl.org
Fri Dec 19 16:36:55 UTC 2014
On Fri, Dec 19, 2014, Dave Thompson wrote:
> > From: openssl-users On Behalf Of Michael Wojcik
> > Sent: Thursday, December 18, 2014 21:27
>
> > > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On
> > Behalf
> > > Of Kurt Roeckx
> > > Sent: Thursday, December 18, 2014 16:36
> > > To: openssl-users at openssl.org
> > > Subject: Re: [openssl-users] OpenSSL performance issue
> > >
> > > So the differnce here is that jave picks a DHE ciphersuite while
> otherwise
> > you
> > > didn't. DHE gives you forward secrecy but is slower.
> >
> > And if DH parameters have not been set, OpenSSL will have to generate
> > them on the fly, which can be *very* slow (relative to normal conversation
> > establishment).
> >
> I think this is new in trunk; in all released versions of OpenSSL server
> it won't use DHE/A and or ECDHE/A if parameters have not been set.
>
I'm not aware of any version of OpenSSL that generates DH parameters on the
fly. If no DH parameters are set then ephemeral DH ciphersuites are disabled.
It's a similar story for ECDH. OpenSSL 1.0.2+ supports "auto ECDH" which
will look up ECDH parameters on the fly but that's just look up which is a
cheap operation.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users
mailing list