Re: How to increase the priority of some cipher ?

Benjamin Kaduk via openssl-users <openssl-users@xxxxxxxxxxx> · Tue, 26 Sep 2017 11:58:43 -0500



    I am curious about this statement that "(EC)DHE cost much more
      resources than RSA".  In particular, ECDHE is supposed to be less
      computation-intensive than RSA for a given security level, so it
      would be interesting to hear what your setup is where the reverse
      is supposed to be observed.

      
      -Ben

    
    On 09/26/2017 03:44 AM, 李明 wrote:

    
        just find it, 
         server respect client's cipher preference  by default,  
         it selects the suite preferred by client
            among the cipherlist that both the client and server
            support.
         so it's not enough to just increase RSA cipher priority on
          server side ,  
         SSL_OP_CIPHER_SERVER_PREFERENCE will make
            the server select the suite that itself most prefer among the cipherlist that both the client and
            server support.
        

        在 2017-09-26 15:15:10，"李明" <mid_li@xxxxxxx> 写道：

        
            Hello, 
               Currently, openssl prefer (EC)DHE handshakes over
              plain RSA, but (EC)DHE cost much more resouces than RSA.
               In order to get higher performance , I want to  prioritize RSA related ciphers, does anyone knows
                how to do it.
               
               I have tried cipherlist "RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL" , it
                looks fine in openssl command line
               ./openssl
                  ciphers -v 'RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL' 
            AES256-GCM-SHA384 
                       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256)
                  Mac=AEAD
            AES128-GCM-SHA256 
                       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128)
                  Mac=AEAD
            AES256-SHA256   
                         TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256) 
                  Mac=SHA256
            AES128-SHA256   
                         TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128) 
                  Mac=SHA256
            AES256-SHA       
                        SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
            AES128-SHA       
                        SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
            ECDHE-ECDSA-AES256-GCM-SHA384
                  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
            

             but, after
                  SSL_CTX_set_cipher_list(ctx, "RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL")  in my application, it didn't work,
                the first choice is still ECDHE-RSA-AES256-GCM-SHA384
          
          
              【网易自营】好吃到爆！鲜香弹滑加热即食，经典13香/麻辣小龙虾仅75元3斤>>
                        
            
          【网易自营|30天无忧退货】仅售同款价1/4！MUJI制造商“2017秋冬舒适家居拖鞋系列”限时仅34.9元>>
                   
        
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users