"Joseph R. Junkin" <[EMAIL PROTECTED]> writes:
> EKR wrote:
> >
> > "Joseph R. Junkin" <[EMAIL PROTECTED]> writes:
> > > I want to run a site with the lowest possible encryption for the highest
> > > performance.
> > Encryption and performance are not mutually opposed in the way
> > you might think.
>
> OK, but why not? I am quite new to this (still learning) and do not
> understand why. I would assume that the system would work twice as hard
> to generate 128 bit SSL compared to 56 bit SSL.
Ok, the answer to your literal question is simple:
SSL uses EXACTLY the same algorithm for RC4-40 as RC4-128. It
simply expands the 40 bit key to a 128 bit key before feeding
it to RC4. Thus, it's not any faster to use 40 bits. Actually
it's very slightly slower because the expansion takes some
time.
Now, not all 56-bit modes are equally fast. RC4 in 56 mode
(one of the experimental cipher suites) is going to be much
faster than DES-56. On the other hand 3DES (168 bit) is going
to be 3 times as slow as DES.
> > In the case of symmetric ciphers, RC4 is by far the fastest
> > and it's no slower in 128 bit mode than 40 bit mode. Thus,
> > I'd advise you to use RC4-128.
>
> OK, I followed the steps for a US installation which included RSA. Can I
> still use RC4-128?
Yes.
> Would the configuration be:
> SLCipherSuite ALL:!ADH:RC4-RSA:-HIGH:-MEDIUM:+LOW:+SSLv2:+EXP
> ??
I doubt it.
What you want to do here is to use RC4-128 whenever possible but use
RC4-40, DES, or 3DES (in that order) when necessary. Surely you don't
want to not talk to clients just because they will only speak a slower
cipher.
I'm not sure enough about how OpenSSL negotiates to advise you on how
to set this. It may not be possible to tell it what order to choose
ciphers in. Sorry.
I'm fairly sure this is wrong, however, since you've turned off all
the high security ciphers.
> Well, I have already created my key and received my cert from thawte for
> www.datafree.com
> I assume that I used the default settings which would be 1024??
I think it is. Ralf?
> Bottom line, what is/are the setting(s) that will place the lowest
> possible load on my server, assuming that I already have my certificate
> (www.datafree.com)?
I think youre overrating the effect of the symmetric cipher
on server load. Are you moving enormously large files? Do
you know that load is a problem?
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
PureTLS - free SSLv3/TLS software for Java
http://www.rtfm.com/puretls/
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
