OpenSSL performance issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Dec 19, 2014, Dave Thompson wrote:

> > From: openssl-users On Behalf Of Michael Wojcik
> > Sent: Thursday, December 18, 2014 21:27
> 
> > > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On
> > Behalf
> > > Of Kurt Roeckx
> > > Sent: Thursday, December 18, 2014 16:36
> > > To: openssl-users at openssl.org
> > > Subject: Re: [openssl-users] OpenSSL performance issue
> > >
> > > So the differnce here is that jave picks a DHE ciphersuite while
> otherwise
> > you
> > > didn't.  DHE gives you forward secrecy but is slower.
> > 
> > And if DH parameters have not been set, OpenSSL will have to generate
> > them on the fly, which can be *very* slow (relative to normal conversation
> > establishment).
> > 
> I think this is new in trunk; in all released versions of OpenSSL server 
> it won't use DHE/A and or ECDHE/A if parameters have not been set.
> 

I'm not aware of any version of OpenSSL that generates DH parameters on the
fly. If no DH parameters are set then ephemeral DH ciphersuites are disabled.

It's a similar story for ECDH. OpenSSL 1.0.2+ supports "auto ECDH" which 
will look up ECDH parameters on the fly but that's just look up which is a
cheap operation.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux