On Sun, May 14, 2006 at 02:49:41PM +0000, gmu 2k6 wrote:
> with the tcp/ip-listening services it will allow us to make use
> of TLS in EDH mode but what is the best way when one
> for performance reasons wants no encryption:
> e1) DH with a shared secret?
> e2) just tell admins to make sure they do not allow any
> connections from outside the distributed system and
> possibly use a VLAN?
> e3) I'm still reading Eric Rescorla's book but beforehand,
> is there a TLS mode which does authentication only
> and for performance reason use a NULL cipher for the traffic?
>
> moreover I'd like to know if I have to secure saved sessions
> explicitly when I come to the conclusion that session saving
> is needed just because the connection overhead with TLS is
> too much?
Premature optimization is the root of all evil. First use the
default TLS ciphers and figure out whether you are in fact
running into performance issues.
Bulk encryption is generally fast enough (~50MB/s per CPU...) that you
saturate most network interfaces well before you run out of CPU. If you
have multiple Gigabyte interfaces, you can disable encryption (the eNULL
ciphersuite), but then you lose data-integrity
Connection setup is more expensive, but is this a real issue for you?
If so implement an external TLS session cache.
If RSA connection overhead is still too high, and all clients and servers
are in the same organization, you could use Kerberos 5 via GSSAPI+SASL,
and have SASL take care of may of the details. If bulk encryptio is not
prohibitive, allow SASL to negotiate a security layer and use the appropriate
I/O callbacks instead of direct read/write operations.
Your questions are too broad to provide more concrete answers.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
