> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Dr. Stephen Henson > Sent: Friday, December 19, 2014 11:37 > To: openssl-users at openssl.org > Subject: Re: [openssl-users] OpenSSL performance issue > > On Fri, Dec 19, 2014, Dave Thompson wrote: > > > > From: openssl-users On Behalf Of Michael Wojcik > > > Sent: Thursday, December 18, 2014 21:27 > > > > > > > > And if DH parameters have not been set, OpenSSL will have to > > > generate them on the fly, which can be *very* slow (relative to > > > normal conversation establishment). > > > > > I think this is new in trunk; in all released versions of OpenSSL > > server it won't use DHE/A and or ECDHE/A if parameters have not been set. > > > > I'm not aware of any version of OpenSSL that generates DH parameters on > the fly. If no DH parameters are set then ephemeral DH ciphersuites are > disabled. > > It's a similar story for ECDH. OpenSSL 1.0.2+ supports "auto ECDH" which will > look up ECDH parameters on the fly but that's just look up which is a cheap > operation. Thanks for the correction. There's a comment somewhere in our OpenSSL-invoking code about DH parameters being generated on the fly, but I guess that was based on a misunderstanding. (The code actually sets DH parameters; the comment was something along the lines of "we want to do this to avoid possible runtime delays when using DH suites".) -- Michael Wojcik Technology Specialist, Micro Focus This message has been scanned for malware by Websense. www.websense.com
