I'm looking for the best way to update CentOS6 openSSL to include the newer, faster ciphers. Or if this is even practical. I'm hoping to speed up our rsync backups with something like aes128-gcm.
http://blog.famzah.net/2015/06/26/opens ... date-2015/
I don't suppose there is an RPM somewhere? I would have thought EPEL would have something.
Newer SSL ciphers?
Re: Newer SSL ciphers?
It's not practical. Your best bet is to make sure your machine supports aes-ni on the processor and make sure that you use a cipher that enables use of the hardware.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Newer SSL ciphers?
Why do you need that specific algorithm? Are you forcing clients to use it?
-
- Posts: 38
- Joined: 2014/11/05 02:00:11
Re: Newer SSL ciphers?
Opteron on the server end and Xeon on the client end. Both say aes in cpuinfo. How would I determine which SSH cipher would use the hardware accel? It's a standard CentOS6 openssh*. I don't know if I was half asleep last night but there are a bunch of GCM ciphers there.TrevorH wrote:It's not practical. Your best bet is to make sure your machine supports aes-ni on the processor and make sure that you use a cipher that enables use of the hardware.
-
- Posts: 38
- Joined: 2014/11/05 02:00:11
Re: Newer SSL ciphers?
I was hoping to force the fastest one for rsync backups. Recent versions removed all the old "fast" ones like ARCFOUR and Blowfish. Given the benchmarks it looks like the GCM ones are faster now anyway.aks wrote:Why do you need that specific algorithm? Are you forcing clients to use it?
Re: Newer SSL ciphers?
https://rhn.redhat.com/errata/RHEA-2012-0065.html and https://access.redhat.com/documentation ... ngine.html
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 38
- Joined: 2014/11/05 02:00:11
Re: Newer SSL ciphers?
Cool, so aes-128-ctr is the first on the list in my sshd_config, and it appears to be the fastest too, by far. The question is, how do you determine if hardware accel is being used by rsync/ssh? The CPU on both ends support it.