Welcome! Log In Create A New Profile

Advanced

ssl_prefer_server_ciphers

Eugene Peregudov
June 09, 2014 04:04AM
Здравствуйте!

Как в nginx обстоят дела с использованием аппаратного ускорения aes-ni?

OpenSSL рекомендует использовать высокоуровневый интерфейс EVP - из вывода
cli видно, что вызываются соотвествующие методы, ускорение есть (OpenSSL
1.0.1e-fips 11 Feb 2013, RHEL6.5):
$openssl speed -elapsed aes-128-cbc
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192
bytes
aes-128 cbc 65708.40k 74542.55k 72715.78k 152230.91k
161742.85k

$openssl speed -elapsed -evp aes-128-cbc
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192
bytes
aes-128-cbc 466421.73k 526309.33k 559382.53k 600289.28k
590875.31k

$openssl speed -elapsed aes-256-cbc
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192
bytes
aes-256 cbc 43067.45k 51166.19k 51947.09k 100144.13k
104420.69k

$openssl speed -elapsed -evp aes-256-cbc
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192
bytes
aes-256-cbc 364533.73k 389520.45k 433119.49k 458341.38k
450338.82k

В коде стабильной версии (nginx-1.6.0) нашел только aes_128_cbc, а где же
256?
grep -R EVP_aes *
src/event/ngx_event_openssl.c: EVP_EncryptInit_ex(ectx,
EVP_aes_128_cbc(), NULL, key[0].aes_key, iv);
src/event/ngx_event_openssl.c: EVP_DecryptInit_ex(ectx,
EVP_aes_128_cbc(), NULL, key[i].aes_key, iv);

Принуждает ли такой конфиг ssl использование браузером шифров aes128/256 и
будет ли реально использоваться AES-NI?

ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_ciphers
RSA+AES:ECDH+AES+aRSA:ECDH+AES+aECDSA:!AEDH:!EDH:!kEDH:!aNULL:!MD5:!LOW:!3DES:!EXP:!PSK:!SRP:!DSS:!RC4;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1 SSLv3;

--
With best regards, Eugene JONIK Peregudov
mailto: eugene.peregudov@gmail.com
_______________________________________________
nginx-ru mailing list
nginx-ru@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-ru
Subject Author Posted

ssl_prefer_server_ciphers

Eugene Peregudov June 09, 2014 04:04AM

Re: ssl_prefer_server_ciphers

Maxim Dounin June 10, 2014 07:18AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 100
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready