[stunnel-users] question about Ephemeral Diffie-Hellman
Michal Trojnara
Michal.Trojnara at mirt.net
Wed Mar 21 15:50:48 CET 2012
Guylhem wrote:
> I've read that EDH calculations were ca cause
> of significant slow up on
>
> http://matt.io/technobabble/hivemind_devops_alert:_nginx_does_not_suck_at_ssl/ur
<reply mode="polite">
Over-reliance on session resumption is as useful as ignoring session
resumption altogether. Benchmarking worst case scenarios may look like
a good idea, but it is not a reasonable approach to bottleneck
identification.
</reply>
It is also a good idea to use ECDHE ciphers instead of EDH for improved
performance without sacrificing PFS property. Make sure to install
recent OpenSSL and stunnel.
Also see:
http://vincent.bernat.im/en/blog/2011-ssl-benchmark-round2.html
> I'm running stunnel on a embedded Linux/MIPS,
> where I'm trying to light up the load.
How many new sessions per second does your stunnel negotiate? Maybe
EDH is not your bottleneck.
> Is it possible to disable EDH? If so, how? I couldn't find any info
> on that.
The answer is in the article you quoted.
Stunnel option is "ciphers":
http://www.stunnel.org/static/stunnel.html
Mike
More information about the stunnel-users
mailing list