>> Daniel Kinzler <dan...@brightbyte.de> wrote:
> hi all!
>
> In the hope i'm not clubbing a diseased donkey, i'd like to share an idea i
> ran
> across: we could use the RC4-128 cypher for secure.wikimedia.org, instead of
> AES256. RC4 is reportedly a lot faster (3 to 4 times the throughput). Since
> CPU
> capacity for encryption has been mentioned as one of the problems with making
> secure.wikimedia.org reliable, I thought it might help.
% openssl s_client -connect secure.wikimedia.org:443 -CApath
/usr/local/share/certs/ -cipher RC4-SHA
(...)
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: 23D5071FD392363CB3215134418219F083866583174FC2809795C4AB373F4EDC
(...)
seems to work for me.
If you want to give up benefts brought to you by the Diffie-Hellman ephemeral
key exchange, anyone may turn it off in their browser. In Seamonkey I have
at hand it's going into "about:config", and setting a whole bunch of
modes in "security.ssl3" to "false".
Not sure if this should be done server-side, though. Unless there is a dire need
and we can't support more sessions than we already do.
//Marcin
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
