just find it,
server respect client's cipher preference by default,
it selects the suite preferred by client among the cipherlist that both the client and server support.
so it's not enough to just increase RSA cipher priority on server side ,
SSL_OP_CIPHER_SERVER_PREFERENCE will make the server select the suite that itself most prefer among the cipherlist that both the client and server support.
在 2017-09-26 15:15:10,"李明" <mid_li@xxxxxxx> 写道:
Hello,Currently, openssl prefer (EC)DHE handshakes over plain RSA, but (EC)DHE cost much more resouces than RSA.In order to get higher performance , I want to prioritize RSA related ciphers, does anyone knows how to do it.I have tried cipherlist "RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL" , it looks fine in openssl command line./openssl ciphers -v 'RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL'AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEADAES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEADAES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEADbut, after SSL_CTX_set_cipher_list(ctx, "RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL") in my application, it didn't work, the first choice is still ECDHE-RSA-AES256-GCM-SHA384
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
