[openssl-users] OpenSSL performance issue

Michael Wojcik Michael.Wojcik at microfocus.com
Fri Dec 19 17:28:23 UTC 2014


> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Dr. Stephen Henson
> Sent: Friday, December 19, 2014 11:37
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] OpenSSL performance issue
> 
> On Fri, Dec 19, 2014, Dave Thompson wrote:
> 
> > > From: openssl-users On Behalf Of Michael Wojcik
> > > Sent: Thursday, December 18, 2014 21:27
> >
> > >
> > > And if DH parameters have not been set, OpenSSL will have to
> > > generate them on the fly, which can be *very* slow (relative to
> > > normal conversation establishment).
> > >
> > I think this is new in trunk; in all released versions of OpenSSL
> > server it won't use DHE/A and or ECDHE/A if parameters have not been set.
> >
> 
> I'm not aware of any version of OpenSSL that generates DH parameters on
> the fly. If no DH parameters are set then ephemeral DH ciphersuites are
> disabled.
> 
> It's a similar story for ECDH. OpenSSL 1.0.2+ supports "auto ECDH" which will
> look up ECDH parameters on the fly but that's just look up which is a cheap
> operation.

Thanks for the correction. There's a comment somewhere in our OpenSSL-invoking code about DH parameters being generated on the fly, but I guess that was based on a misunderstanding. (The code actually sets DH parameters; the comment was something along the lines of "we want to do this to avoid possible runtime delays when using DH suites".)

-- 
Michael Wojcik
Technology Specialist, Micro Focus




This message has been scanned for malware by Websense. www.websense.com


More information about the openssl-users mailing list