[stunnel-users] question about Ephemeral Diffie-Hellman

Michal Trojnara Michal.Trojnara at mirt.net
Wed Mar 21 15:50:48 CET 2012

Guylhem wrote:
> I've read that EDH calculations were ca cause
> of significant slow up on
> http://matt.io/technobabble/hivemind_devops_alert:_nginx_does_not_suck_at_ssl/ur

<reply mode="polite">
Over-reliance on session resumption is as useful as ignoring session 
resumption altogether.  Benchmarking worst case scenarios may look like 
a good idea, but it is not a reasonable approach to bottleneck 

It is also a good idea to use ECDHE ciphers instead of EDH for improved 
performance without sacrificing PFS property.  Make sure to install 
recent OpenSSL and stunnel.

Also see:

> I'm running stunnel on a embedded Linux/MIPS,
> where I'm trying to light up the load.

How many new sessions per second does your stunnel negotiate?  Maybe 
EDH is not your bottleneck.

> Is it possible to disable EDH? If so, how? I couldn't find any info 
> on that.

The answer is in the article you quoted.
Stunnel option is "ciphers":


More information about the stunnel-users mailing list