[stunnel-users] question about Ephemeral Diffie-Hellman

• Previous message (by thread): [stunnel-users] question about Ephemeral Diffie-Hellman
• Next message (by thread): [stunnel-users] question about Ephemeral Diffie-Hellman
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Guylhem wrote:
> I've read that EDH calculations were ca cause
> of significant slow up on
> 
> http://matt.io/technobabble/hivemind_devops_alert:_nginx_does_not_suck_at_ssl/ur

<reply mode="polite">
Over-reliance on session resumption is as useful as ignoring session 
resumption altogether.  Benchmarking worst case scenarios may look like 
a good idea, but it is not a reasonable approach to bottleneck 
identification.
</reply>

It is also a good idea to use ECDHE ciphers instead of EDH for improved 
performance without sacrificing PFS property.  Make sure to install 
recent OpenSSL and stunnel.

Also see:
http://vincent.bernat.im/en/blog/2011-ssl-benchmark-round2.html

> I'm running stunnel on a embedded Linux/MIPS,
> where I'm trying to light up the load.

How many new sessions per second does your stunnel negotiate?  Maybe 
EDH is not your bottleneck.

> Is it possible to disable EDH? If so, how? I couldn't find any info 
> on that.

The answer is in the article you quoted.
Stunnel option is "ciphers":
http://www.stunnel.org/static/stunnel.html

Mike

• Previous message (by thread): [stunnel-users] question about Ephemeral Diffie-Hellman
• Next message (by thread): [stunnel-users] question about Ephemeral Diffie-Hellman
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]