[openssl-users] How to increase the priority of some cipher ?

Benjamin Kaduk bkaduk at akamai.com
Tue Sep 26 16:58:43 UTC 2017


I am curious about this statement that "(EC)DHE cost much more resources
than RSA".  In particular, ECDHE is supposed to be less
computation-intensive than RSA for a given security level, so it would
be interesting to hear what your setup is where the reverse is supposed
to be observed.

-Ben

On 09/26/2017 03:44 AM, 李明 wrote:
> just find it, 
>  server respect client's cipher preference  by default,  
>  it selects the suite preferred by client among the cipherlist that
> both the client and server support.
>  so it's not enough to just increase RSA cipher priority on server
> side ,  
>  SSL_OP_CIPHER_SERVER_PREFERENCE will make the server select the suite
> that itself most prefer among the cipherlist that both the client and
> server support.
>
>
> 在 2017-09-26 15:15:10,"李明" <mid_li at 163.com> 写道:
>
>     Hello, 
>        Currently, openssl prefer (EC)DHE handshakes over plain RSA,
>     but (EC)DHE cost much more resouces than RSA.
>        In order to get higher performance , I want to  prioritize
>     RSA related ciphers, does anyone knows how to do it.
>        
>        I have tried cipherlist "RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL" ,
>     it looks fine in openssl command line
>        ./openssl ciphers -v 'RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL' 
>     AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA 
>     Enc=AESGCM(256) Mac=AEAD
>     AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA 
>     Enc=AESGCM(128) Mac=AEAD
>     AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256) 
>     Mac=SHA256
>     AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128) 
>     Mac=SHA256
>     AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256) 
>     Mac=SHA1
>     AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128) 
>     Mac=SHA1
>     ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA
>     Enc=AESGCM(256) Mac=AEAD
>
>      but, after SSL_CTX_set_cipher_list(ctx,
>     "RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL")  in my application, it
>     didn't work, the first choice is still ECDHE-RSA-AES256-GCM-SHA384
>
>
>     【网易自营】好吃到爆!鲜香弹滑加热即食,经典13香/麻辣小龙虾仅75元3斤>>
>      
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__you.163.com_item_detail-3Fid-3D1183001-26from-3Dweb-5Fgg-5Fmail-5Fjiaobiao-5F7&d=DwMGbw&c=96ZbZZcaMF4w0F4jpN6LZg&r=sssDLkeEEBWNIXmTsdpw8TZ3tAJx-Job4p1unc7rOhM&m=9XG00YH-TXMwr5BatSDo3-aXkgX3OLfrVpmGTZ0_xNo&s=M0z8KXSefITjBOTAhSaDL6NOtaRRtRw4rhfNrLy0ziE&e=>
>        
>
>
>
> 【网易自营|30天无忧退货】仅售同款价1/4!MUJI制造商“2017秋冬舒适家居拖鞋系列”限时仅34.9元>>
>  
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__you.163.com_item_detail-3Fid-3D1165011-26from-3Dweb-5Fgg-5Fmail-5Fjiaobiao-5F9&d=DwMGbw&c=96ZbZZcaMF4w0F4jpN6LZg&r=sssDLkeEEBWNIXmTsdpw8TZ3tAJx-Job4p1unc7rOhM&m=9XG00YH-TXMwr5BatSDo3-aXkgX3OLfrVpmGTZ0_xNo&s=w4ccrgVoE_hEGBGShI5YNJOv3tVpODp2_IPVuDMOUJs&e=>
>    
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170926/ca5b3492/attachment-0001.html>


More information about the openssl-users mailing list