On Fri, Dec 19, 2014, Dave Thompson wrote: > > From: openssl-users On Behalf Of Michael Wojcik > > Sent: Thursday, December 18, 2014 21:27 > > > > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On > > Behalf > > > Of Kurt Roeckx > > > Sent: Thursday, December 18, 2014 16:36 > > > To: openssl-users at openssl.org > > > Subject: Re: [openssl-users] OpenSSL performance issue > > > > > > So the differnce here is that jave picks a DHE ciphersuite while > otherwise > > you > > > didn't. DHE gives you forward secrecy but is slower. > > > > And if DH parameters have not been set, OpenSSL will have to generate > > them on the fly, which can be *very* slow (relative to normal conversation > > establishment). > > > I think this is new in trunk; in all released versions of OpenSSL server > it won't use DHE/A and or ECDHE/A if parameters have not been set. > I'm not aware of any version of OpenSSL that generates DH parameters on the fly. If no DH parameters are set then ephemeral DH ciphersuites are disabled. It's a similar story for ECDH. OpenSSL 1.0.2+ supports "auto ECDH" which will look up ECDH parameters on the fly but that's just look up which is a cheap operation. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org
