[stunnel-users] Inconsistent performance across stunnel and/or OpenSSL versions

Jason Haar Jason_Haar at trimble.com
Mon Apr 22 06:37:45 CEST 2013

On 19/04/13 07:02, PPingPongBaker PPingPongBaker wrote:
> It appears including static DH params in the certificate brings the
> performance back up in 4.40 and onward.

Does this mean stunnel dynamically generates DH keys if the "openssl
dhparam 2048" trick mentioned in the man page isn't done - and that
causes an initial pause that impacts the overall throughput? Would that
be once at startup, or per connection? I have seen some SSL apps where
there is (say) an hourly/daily cronjob that generates new DH keys into a
file, and the app uses that instead of doing it dynamically - very
similar to the append operation mentioned in the man page.

Actually, given how CPU intensive generating a 2048bit DH key is, what
is the *real* downside of having a static DH key? Sounds to me there is
effectively no downside and some upside for doing that by default? Maybe
at least the package maintainers of stunnel (eg for Redhat/Debian)
should do that as part of their installation process? I'm sure we're all
for better performance if there's no real security downside


PS: DH is two-way - so what is the client doing? eg if this was a web
browser going to mod_ssl on apache, does the client sit there thinking
hard - generating it's DH key? Surely both ends would need to move to a
"static" key model to get the performance improvement?

PPS: crypto isn't my strongest area, so forgive my naive questions ;-)


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the stunnel-users mailing list