Hi Rob, Thank you for the information, it was helpful.
Peter Webb Technical Analyst Server Technology Information Technology Services T: 416-393-3549 Toronto Transit Commission McBrien Building, 1900 Yonge Street Toronto, ON M4S 1Z2 -----Original Message----- From: Linux on 390 Port <LINUX-390@VM.MARIST.EDU> On Behalf Of Rob van der Heij Sent: Wednesday, June 10, 2020 9:54 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: [EXTERNAL] Re: z15 on-board compression On Wed, 10 Jun 2020 at 15:28, Rob van der Heij <rvdh...@gmail.com> wrote: > On Wed, 10 Jun 2020 at 14:55, Peter Webb, Toronto Transit Commission < > peter.w...@ttc.ca> wrote: > >> Hi Rob, >> >> Could you please point me to a list of the cipher suites with CPACF >> support? >> > > If you're current on openssl in Linux, just stick with the AES ciphers > like aes256-ctr. Since the later openssl had built-in CPACF > instructions, it's not easy to see anymore with the crypto engine etc. > It's been ages since I looked at that... I think "ssh -Q cipher" > shows the list your client tries; the server has a list as well, so > you can talk sense into this from either side. > > The problem we had was the Linux PC folks had googled for the "fastest > encryption in ssh" and decided to use arcfour or blowfish. Or their > focus may be on the "most secure" cipher suite. Obviously it does not > matter when your typing or reading is the bottleneck, but it does > count when you're moving ISO images over the network. > Old habits... just because I was curious, I did a quick check on my Linux guest. This is 1 GB and I trimmed all but the "user" time from the output, as that's where you see the cycles for the sending side (the receiving end consumes the same amount in the sshd child process) [rvdheij@lnxrmh01 ~]$ time dd if=/dev/zero bs=1M count=1024 status=none | ssh -c aes256-ctr 127.0.0.1 wc --bytes user 0m0.771s [rvdheij@lnxrmh01 ~]$ time dd if=/dev/zero bs=1M count=1024 status=none | ssh -c aes256-...@openssh.com 127.0.0.1 wc --bytes user 0m0.262s [rvdheij@lnxrmh01 ~]$ time dd if=/dev/zero bs=1M count=1024 status=none | ssh -c chacha20-poly1...@openssh.com 127.0.0.1 wc --bytes user 0m3.904s So you use "ssh -Q cipher" to see what your client knows about, and if you pick one that the server does not support, ssh will list the ones that it knows about :-) In my case the first one they have in common is aes256-gcm (which appears to be better than aes256-ctr and an order of magnitude less than some fancy software cipher for this simple case). Blast from the past: https://zvmperf.wordpress.com/2013/09/29/secret-key-performance/ (from the z12 days) Rob ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390 The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review retransmission dissemination or other use of or taking any action in reliance upon this information by persons or entities other than the intended recipient or delegate is strictly prohibited. If you received this in error please contact the sender and delete the material from any computer. The integrity and security of this message cannot be guaranteed on the Internet. The sender accepts no liability for the content of this e-mail or for the consequences of any actions taken on the basis of information provided. The recipient should check this e-mail and any attachments for the presence of viruses. The sender accepts no liability for any damage caused by any virus transmitted by this e-mail. This disclaimer is property of the TTC and must not be altered or circumvented in any manner. ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390
