Newer SSL ciphers?

Support for security such as Firewalls and securing linux
mntbighker
Posts: 38
Joined: 2014/11/05 02:00:11

Newer SSL ciphers?

Postby mntbighker » 2015/11/25 01:54:28

I'm looking for the best way to update CentOS6 openSSL to include the newer, faster ciphers. Or if this is even practical. I'm hoping to speed up our rsync backups with something like aes128-gcm.

http://blog.famzah.net/2015/06/26/openssh-ciphers-performance-benchmark-update-2015/

I don't suppose there is an RPM somewhere? I would have thought EPEL would have something.

User avatar
TrevorH
Forum Moderator
Posts: 21171
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Newer SSL ciphers?

Postby TrevorH » 2015/11/25 08:54:20

It's not practical. Your best bet is to make sure your machine supports aes-ni on the processor and make sure that you use a cipher that enables use of the hardware.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

aks
Posts: 2498
Joined: 2014/09/20 11:22:14

Re: Newer SSL ciphers?

Postby aks » 2015/11/25 17:02:18

Why do you need that specific algorithm? Are you forcing clients to use it?

mntbighker
Posts: 38
Joined: 2014/11/05 02:00:11

Re: Newer SSL ciphers?

Postby mntbighker » 2015/11/25 18:37:53

TrevorH wrote:It's not practical. Your best bet is to make sure your machine supports aes-ni on the processor and make sure that you use a cipher that enables use of the hardware.


Opteron on the server end and Xeon on the client end. Both say aes in cpuinfo. How would I determine which SSH cipher would use the hardware accel? It's a standard CentOS6 openssh*. I don't know if I was half asleep last night but there are a bunch of GCM ciphers there.

mntbighker
Posts: 38
Joined: 2014/11/05 02:00:11

Re: Newer SSL ciphers?

Postby mntbighker » 2015/11/25 18:40:04

aks wrote:Why do you need that specific algorithm? Are you forcing clients to use it?


I was hoping to force the fastest one for rsync backups. Recent versions removed all the old "fast" ones like ARCFOUR and Blowfish. Given the benchmarks it looks like the GCM ones are faster now anyway.

User avatar
TrevorH
Forum Moderator
Posts: 21171
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Newer SSL ciphers?

Postby TrevorH » 2015/11/25 21:05:43

CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

mntbighker
Posts: 38
Joined: 2014/11/05 02:00:11

Re: Newer SSL ciphers?

Postby mntbighker » 2015/11/25 22:56:09

TrevorH wrote:https://rhn.redhat.com/errata/RHEA-2012-0065.html and https://access.redhat.com/documentation ... ngine.html


Cool, so aes-128-ctr is the first on the list in my sshd_config, and it appears to be the fastest too, by far. The question is, how do you determine if hardware accel is being used by rsync/ssh? The CPU on both ends support it.