I am curious about this statement that "(EC)DHE cost much more resources than RSA". In particular, ECDHE is supposed to be less computation-intensive than RSA for a given security level, so it would be interesting to hear what your setup is where the reverse is supposed to be observed.
-Ben On 09/26/2017 03:44 AM, 李明 wrote: > just find it, > server respect client's cipher preference by default, > it selects the suite preferred by client among the cipherlist that > both the client and server support. > so it's not enough to just increase RSA cipher priority on server > side , > SSL_OP_CIPHER_SERVER_PREFERENCE will make the server select the suite > that itself most prefer among the cipherlist that both the client and > server support. > > > 在 2017-09-26 15:15:10,"李明" <mid...@163.com> 写道: > > Hello, > Currently, openssl prefer (EC)DHE handshakes over plain RSA, > but (EC)DHE cost much more resouces than RSA. > In order to get higher performance , I want to prioritize > RSA related ciphers, does anyone knows how to do it. > > I have tried cipherlist "RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL" , > it looks fine in openssl command line > ./openssl ciphers -v 'RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL' > AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA > Enc=AESGCM(256) Mac=AEAD > AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA > Enc=AESGCM(128) Mac=AEAD > AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) > Mac=SHA256 > AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) > Mac=SHA256 > AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) > Mac=SHA1 > AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) > Mac=SHA1 > ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA > Enc=AESGCM(256) Mac=AEAD > > but, after SSL_CTX_set_cipher_list(ctx, > "RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL") in my application, it > didn't work, the first choice is still ECDHE-RSA-AES256-GCM-SHA384 > > > 【网易自营】好吃到爆!鲜香弹滑加热即食,经典13香/麻辣小龙虾仅75元3斤>> > > > <https://urldefense.proofpoint.com/v2/url?u=http-3A__you.163.com_item_detail-3Fid-3D1183001-26from-3Dweb-5Fgg-5Fmail-5Fjiaobiao-5F7&d=DwMGbw&c=96ZbZZcaMF4w0F4jpN6LZg&r=sssDLkeEEBWNIXmTsdpw8TZ3tAJx-Job4p1unc7rOhM&m=9XG00YH-TXMwr5BatSDo3-aXkgX3OLfrVpmGTZ0_xNo&s=M0z8KXSefITjBOTAhSaDL6NOtaRRtRw4rhfNrLy0ziE&e=> > > > > > 【网易自营|30天无忧退货】仅售同款价1/4!MUJI制造商“2017秋冬舒适家居拖鞋系列”限时仅34.9元>> > > <https://urldefense.proofpoint.com/v2/url?u=http-3A__you.163.com_item_detail-3Fid-3D1165011-26from-3Dweb-5Fgg-5Fmail-5Fjiaobiao-5F9&d=DwMGbw&c=96ZbZZcaMF4w0F4jpN6LZg&r=sssDLkeEEBWNIXmTsdpw8TZ3tAJx-Job4p1unc7rOhM&m=9XG00YH-TXMwr5BatSDo3-aXkgX3OLfrVpmGTZ0_xNo&s=w4ccrgVoE_hEGBGShI5YNJOv3tVpODp2_IPVuDMOUJs&e=> > > >
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
