[openssl-users] How to increase the priority of some cipher ?
mid_li at 163.com
Wed Sep 27 00:52:01 UTC 2017
The environment is quite simple，client use apachebench to test the performance of a https server
the apachebench command is like this： ab -c 500 -n 1000000 https://xx.xx.xx.xx/
TLSv1.2,AES256-GCM-SHA384 ： the server can handle more than 1500 requests per second（cpu ： 99%）。
TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 : the server can ONLY handle 500 requests per second（cpu ：99%）。
At 2017-09-27 00:58:43, "Benjamin Kaduk" <bkaduk at akamai.com> wrote:
I am curious about this statement that "(EC)DHE cost much more resources than RSA". In particular, ECDHE is supposed to be less computation-intensive than RSA for a given security level, so it would be interesting to hear what your setup is where the reverse is supposed to be observed.
On 09/26/2017 03:44 AM, 李明 wrote:
just find it,
server respect client's cipher preference by default,
it selects the suite preferred by client among the cipherlist that both the client and server support.
so it's not enough to just increase RSA cipher priority on server side ,
SSL_OP_CIPHER_SERVER_PREFERENCE will make the server select the suite that itself most prefer among the cipherlist that both the client and server support.
在 2017-09-26 15:15:10，"李明" <mid_li at 163.com> 写道：
Currently, openssl prefer (EC)DHE handshakes over plain RSA, but (EC)DHE cost much more resouces than RSA.
In order to get higher performance , I want to prioritize RSA related ciphers, does anyone knows how to do it.
I have tried cipherlist "RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL" , it looks fine in openssl command line
./openssl ciphers -v 'RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL'
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
but, after SSL_CTX_set_cipher_list(ctx, "RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL") in my application, it didn't work, the first choice is still ECDHE-RSA-AES256-GCM-SHA384
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users