ssl_ciphers for speed

Aleksandar Lazic al-nginx at none.at
Sun May 6 12:43:16 UTC 2012 

Hi,

On 06-05-2012 11:20, Sparsh Gupta wrote:

> Thanks, I dont have AES support in my processor and I tried doing 
> some
> benchmarks with the suggested cipher I saw very negligible 
> improvement
> unfortunately.
>
>Is this is the best my processor can do?
> Or is there any thing else I can tweak in my machine
> (and nginx) to improve SSL connections speed

What do you get when you call

openssl speed

or dedicated

openssl speed rc4 aes sha1

for your all options for speed please call

openssl speed --help

To see if openssl is able to use a ssl-engine please check the output 
of

openssl engine -t -v

> Thanks
> Sparsh Gupta

BR
Aleks

> On 6 May 2012 00:57, ktm at rice.edu [3] <ktm at rice.edu [4]> wrote:
>
>> On Sat, May 05, 2012 at 06:23:24PM +0530, Sparsh Gupta wrote:
>> > Hello
>> >
>> > I am using nginx 2.0 built with OpenSSL 0.9.8 and I have the
>> following
>> > configuration for my ssl:
>> >
>> > listen 443 ssl;
>> > ssl_certificate /etc/ssl/private/wildcardcert.crt;
>> > ssl_certificate_key /etc/ssl/private/wildcardcert.key;
>> > ssl_session_cache shared:SSL:20m;
>> > ssl_session_timeout 5m;
>> > ssl_prefer_server_ciphers on;
>> >
>> >
>> > Since I dont have ssl_ciphers I assume its picking up the default
>> settings '
>> > HIGH:!ADH:!MD5;'
>> >
>> > I found quite a few articles to make the SSL connection strong and
>> more
>> > secure but I am looking for a solution which is fastest in terms 
>> of
>> > negotiating an SSL connection. Can you recommend me some 
>> ssl_cipher
>> / other
>> > settings I should try to boost speed. I dont transfer any secure
>> data so I
>> > am not concerned about security.
>> >
>> > Thanks
>> > Sparsh Gupta
>>
>> Here is what we use for a use case with similar requirements:
>>
>> ssl_ciphers
>> RC4:AES128+SHA:!kEDH:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
>>
>> RC4 is the fastest without hardware assist. If you have hardware
>> support in
>> your processor for AES, put the AES128 first, instead of RC4.
>>
>> Regards,
>> Ken
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org [1]
>> http://mailman.nginx.org/mailman/listinfo/nginx [2]


Links:
------
[1] mailto:nginx at nginx.org
[2] http://mailman.nginx.org/mailman/listinfo/nginx
[3] mailto:ktm at rice.edu
[4] mailto:ktm at rice.edu

More information about the nginx mailing list