SSL Cipher Suite

Dieses Thema im Forum "Webserver (Software): Linux, Unix, etc." wurde erstellt von bayliner, 12. Mai 2013.

  1. bayliner

    bayliner Member

    Registriert seit:
    6. Januar 2003
    Beiträge:
    154
    Hätte gerne eine SSL Cipher Suite die schnell und sicher ist.



    Derzeit benutze ich:

    RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC3-SHA:!DES-CBC3-MD5:!IDEA-CBC-SHA:!RC4-MD5:!IDEA-CBC-MD5:!RC2-CBC-MD5:!MD5:!aNULL:!EDH:!AESGCM

    Das bringt mir auf SSLLABS einen Score A von:
    Certificate: 100
    Protocol Support: 85
    Key Exchange: 90
    Cipher Strength: 90




    Beispiel an webhostlist:
    https://www.ssllabs.com/ssltest/analyze.html?d=webhostlist.de


    Meine SSL Cipher sehen so aus:

    Code:
    root@server [~]# openssl ciphers -v
    DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
    DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
    DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
    DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
    AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
    CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
    PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
    EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
    EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
    DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
    PSK-3DES-EDE-CBC-SHA    SSLv3 Kx=PSK      Au=PSK  Enc=3DES(168) Mac=SHA1
    KRB5-DES-CBC3-SHA       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=SHA1
    KRB5-DES-CBC3-MD5       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=MD5
    DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
    DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
    DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
    DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1
    DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
    DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1
    AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
    SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1
    CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
    PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1
    RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
    RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
    PSK-RC4-SHA             SSLv3 Kx=PSK      Au=PSK  Enc=RC4(128)  Mac=SHA1
    KRB5-RC4-SHA            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=SHA1
    KRB5-RC4-MD5            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=MD5
    EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
    EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
    DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
    KRB5-DES-CBC-SHA        SSLv3 Kx=KRB5     Au=KRB5 Enc=DES(56)   Mac=SHA1
    KRB5-DES-CBC-MD5        SSLv3 Kx=KRB5     Au=KRB5 Enc=DES(56)   Mac=MD5
    EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
    EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
    EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
    EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
    EXP-KRB5-RC2-CBC-SHA    SSLv3 Kx=KRB5     Au=KRB5 Enc=RC2(40)   Mac=SHA1 export
    EXP-KRB5-DES-CBC-SHA    SSLv3 Kx=KRB5     Au=KRB5 Enc=DES(40)   Mac=SHA1 export
    EXP-KRB5-RC2-CBC-MD5    SSLv3 Kx=KRB5     Au=KRB5 Enc=RC2(40)   Mac=MD5  export
    EXP-KRB5-DES-CBC-MD5    SSLv3 Kx=KRB5     Au=KRB5 Enc=DES(40)   Mac=MD5  export
    EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
    EXP-KRB5-RC4-SHA        SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(40)   Mac=SHA1 export
    EXP-KRB5-RC4-MD5        SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(40)   Mac=MD5  export
    
    Mein Speed Test gibt folgendes aus:

    Code:
    root@server [~]# openssl speed
    Doing md2 for 3s on 16 size blocks: 474084 md2's in 2.97s
    Doing md2 for 3s on 64 size blocks: 241366 md2's in 2.99s
    Doing md2 for 3s on 256 size blocks: 82394 md2's in 2.99s
    Doing md2 for 3s on 1024 size blocks: 22285 md2's in 2.98s
    Doing md2 for 3s on 8192 size blocks: 2913 md2's in 2.99s
    Doing md4 for 3s on 16 size blocks: 15408401 md4's in 2.99s
    Doing md4 for 3s on 64 size blocks: 11643449 md4's in 2.99s
    Doing md4 for 3s on 256 size blocks: 6758324 md4's in 2.99s
    Doing md4 for 3s on 1024 size blocks: 2511337 md4's in 2.99s
    Doing md4 for 3s on 8192 size blocks: 369471 md4's in 2.99s
    Doing md5 for 3s on 16 size blocks: 10778553 md5's in 2.99s
    Doing md5 for 3s on 64 size blocks: 7947048 md5's in 2.99s
    Doing md5 for 3s on 256 size blocks: 4448305 md5's in 2.99s
    Doing md5 for 3s on 1024 size blocks: 1623339 md5's in 2.98s
    Doing md5 for 3s on 8192 size blocks: 232471 md5's in 2.99s
    Doing hmac(md5) for 3s on 16 size blocks: 8889766 hmac(md5)'s in 2.99s
    Doing hmac(md5) for 3s on 64 size blocks: 6616482 hmac(md5)'s in 2.99s
    Doing hmac(md5) for 3s on 256 size blocks: 3974429 hmac(md5)'s in 2.99s
    Doing hmac(md5) for 3s on 1024 size blocks: 1547365 hmac(md5)'s in 2.99s
    Doing hmac(md5) for 3s on 8192 size blocks: 234744 hmac(md5)'s in 2.99s
    Doing sha1 for 3s on 16 size blocks: 12733589 sha1's in 2.99s
    Doing sha1 for 3s on 64 size blocks: 8873695 sha1's in 2.99s
    Doing sha1 for 3s on 256 size blocks: 4764023 sha1's in 2.99s
    Doing sha1 for 3s on 1024 size blocks: 1680372 sha1's in 2.99s
    Doing sha1 for 3s on 8192 size blocks: 239810 sha1's in 2.98s
    Doing sha256 for 3s on 16 size blocks: 7493343 sha256's in 2.99s
    Doing sha256 for 3s on 64 size blocks: 4125241 sha256's in 2.99s
    Doing sha256 for 3s on 256 size blocks: 1720908 sha256's in 2.99s
    Doing sha256 for 3s on 1024 size blocks: 514271 sha256's in 2.99s
    Doing sha256 for 3s on 8192 size blocks: 68029 sha256's in 2.99s
    Doing sha512 for 3s on 16 size blocks: 5844683 sha512's in 2.98s
    Doing sha512 for 3s on 64 size blocks: 5933570 sha512's in 2.99s
    Doing sha512 for 3s on 256 size blocks: 2215443 sha512's in 2.99s
    Doing sha512 for 3s on 1024 size blocks: 759109 sha512's in 2.99s
    Doing sha512 for 3s on 8192 size blocks: 107725 sha512's in 2.99s
    Doing whirlpool for 3s on 16 size blocks: 4551423 whirlpool's in 2.99s
    Doing whirlpool for 3s on 64 size blocks: 2430307 whirlpool's in 2.99s
    Doing whirlpool for 3s on 256 size blocks: 1024806 whirlpool's in 2.99s
    Doing whirlpool for 3s on 1024 size blocks: 307611 whirlpool's in 2.98s
    Doing whirlpool for 3s on 8192 size blocks: 41003 whirlpool's in 2.99s
    Doing rmd160 for 3s on 16 size blocks: 7170937 rmd160's in 2.99s
    Doing rmd160 for 3s on 64 size blocks: 4388080 rmd160's in 2.99s
    Doing rmd160 for 3s on 256 size blocks: 1995164 rmd160's in 2.99s
    Doing rmd160 for 3s on 1024 size blocks: 616107 rmd160's in 2.99s
    Doing rmd160 for 3s on 8192 size blocks: 83003 rmd160's in 2.98s
    Doing rc4 for 3s on 16 size blocks: 77454257 rc4's in 2.99s
    Doing rc4 for 3s on 64 size blocks: 31672140 rc4's in 2.99s
    Doing rc4 for 3s on 256 size blocks: 9085925 rc4's in 2.99s
    Doing rc4 for 3s on 1024 size blocks: 2357192 rc4's in 2.99s
    Doing rc4 for 3s on 8192 size blocks: 297075 rc4's in 2.99s
    Doing des cbc for 3s on 16 size blocks: 11927209 des cbc's in 2.99s
    Doing des cbc for 3s on 64 size blocks: 3128863 des cbc's in 2.99s
    Doing des cbc for 3s on 256 size blocks: 795984 des cbc's in 2.98s
    Doing des cbc for 3s on 1024 size blocks: 194082 des cbc's in 2.99s
    Doing des cbc for 3s on 8192 size blocks: 24450 des cbc's in 2.99s
    Doing des ede3 for 3s on 16 size blocks: 4648679 des ede3's in 2.99s
    Doing des ede3 for 3s on 64 size blocks: 1174277 des ede3's in 2.99s
    Doing des ede3 for 3s on 256 size blocks: 301527 des ede3's in 2.99s
    Doing des ede3 for 3s on 1024 size blocks: 74478 des ede3's in 2.99s
    Doing des ede3 for 3s on 8192 size blocks: 9302 des ede3's in 2.99s
    Doing aes-128 cbc for 3s on 16 size blocks: 19956937 aes-128 cbc's in 2.99s
    Doing aes-128 cbc for 3s on 64 size blocks: 5354290 aes-128 cbc's in 2.99s
    Doing aes-128 cbc for 3s on 256 size blocks: 1364804 aes-128 cbc's in 2.99s
    Doing aes-128 cbc for 3s on 1024 size blocks: 340714 aes-128 cbc's in 2.99s
    Doing aes-128 cbc for 3s on 8192 size blocks: 40210 aes-128 cbc's in 2.98s
    Doing aes-192 cbc for 3s on 16 size blocks: 16832528 aes-192 cbc's in 2.99s
    Doing aes-192 cbc for 3s on 64 size blocks: 4424972 aes-192 cbc's in 2.99s
    Doing aes-192 cbc for 3s on 256 size blocks: 1139493 aes-192 cbc's in 2.99s
    Doing aes-192 cbc for 3s on 1024 size blocks: 285220 aes-192 cbc's in 2.99s
    Doing aes-192 cbc for 3s on 8192 size blocks: 35476 aes-192 cbc's in 2.99s
    Doing aes-256 cbc for 3s on 16 size blocks: 14436128 aes-256 cbc's in 2.99s
    Doing aes-256 cbc for 3s on 64 size blocks: 3840811 aes-256 cbc's in 2.99s
    Doing aes-256 cbc for 3s on 256 size blocks: 963279 aes-256 cbc's in 2.99s
    Doing aes-256 cbc for 3s on 1024 size blocks: 245477 aes-256 cbc's in 2.99s
    Doing aes-256 cbc for 3s on 8192 size blocks: 31046 aes-256 cbc's in 2.99s
    Doing aes-128 ige for 3s on 16 size blocks: 19926918 aes-128 ige's in 2.99s
    Doing aes-128 ige for 3s on 64 size blocks: 5111050 aes-128 ige's in 2.98s
    Doing aes-128 ige for 3s on 256 size blocks: 1296315 aes-128 ige's in 2.99s
    Doing aes-128 ige for 3s on 1024 size blocks: 328094 aes-128 ige's in 2.99s
    Doing aes-128 ige for 3s on 8192 size blocks: 40926 aes-128 ige's in 2.99s
    Doing aes-192 ige for 3s on 16 size blocks: 17026597 aes-192 ige's in 2.99s
    Doing aes-192 ige for 3s on 64 size blocks: 4209891 aes-192 ige's in 2.99s
    Doing aes-192 ige for 3s on 256 size blocks: 1085077 aes-192 ige's in 2.99s
    Doing aes-192 ige for 3s on 1024 size blocks: 270136 aes-192 ige's in 2.99s
    Doing aes-192 ige for 3s on 8192 size blocks: 34008 aes-192 ige's in 2.99s
    Doing aes-256 ige for 3s on 16 size blocks: 14566404 aes-256 ige's in 2.99s
    Doing aes-256 ige for 3s on 64 size blocks: 3706570 aes-256 ige's in 2.99s
    Doing aes-256 ige for 3s on 256 size blocks: 934310 aes-256 ige's in 2.99s
    Doing aes-256 ige for 3s on 1024 size blocks: 231189 aes-256 ige's in 2.98s
    Doing aes-256 ige for 3s on 8192 size blocks: 29463 aes-256 ige's in 2.99s
    Doing camellia-128 cbc for 3s on 16 size blocks: 18098600 camellia-128 cbc's in 2.99s
    Doing camellia-128 cbc for 3s on 64 size blocks: 6881720 camellia-128 cbc's in 2.99s
    Doing camellia-128 cbc for 3s on 256 size blocks: 1963968 camellia-128 cbc's in 2.99s
    Doing camellia-128 cbc for 3s on 1024 size blocks: 493543 camellia-128 cbc's in 2.99s
    Doing camellia-128 cbc for 3s on 8192 size blocks: 62808 camellia-128 cbc's in 2.99s
    Doing camellia-192 cbc for 3s on 16 size blocks: 15626557 camellia-192 cbc's in 2.99s
    Doing camellia-192 cbc for 3s on 64 size blocks: 5344125 camellia-192 cbc's in 2.98s
    Doing camellia-192 cbc for 3s on 256 size blocks: 1499393 camellia-192 cbc's in 2.99s
    Doing camellia-192 cbc for 3s on 1024 size blocks: 384462 camellia-192 cbc's in 2.99s
    Doing camellia-192 cbc for 3s on 8192 size blocks: 47994 camellia-192 cbc's in 2.99s
    Doing camellia-256 cbc for 3s on 16 size blocks: 15749617 camellia-256 cbc's in 2.99s
    Doing camellia-256 cbc for 3s on 64 size blocks: 5453229 camellia-256 cbc's in 2.99s
    Doing camellia-256 cbc for 3s on 256 size blocks: 1477649 camellia-256 cbc's in 2.99s
    Doing camellia-256 cbc for 3s on 1024 size blocks: 377994 camellia-256 cbc's in 2.99s
    Doing camellia-256 cbc for 3s on 8192 size blocks: 47345 camellia-256 cbc's in 2.99s
    Doing seed cbc for 3s on 16 size blocks: 13674431 seed cbc's in 2.99s
    Doing seed cbc for 3s on 64 size blocks: 3425360 seed cbc's in 2.99s
    Doing seed cbc for 3s on 256 size blocks: 850701 seed cbc's in 2.98s
    Doing seed cbc for 3s on 1024 size blocks: 212068 seed cbc's in 2.99s
    Doing seed cbc for 3s on 8192 size blocks: 26721 seed cbc's in 2.99s
    Doing rc2 cbc for 3s on 16 size blocks: 7494866 rc2 cbc's in 2.99s
    Doing rc2 cbc for 3s on 64 size blocks: 1913607 rc2 cbc's in 2.99s
    Doing rc2 cbc for 3s on 256 size blocks: 483570 rc2 cbc's in 2.99s
    Doing rc2 cbc for 3s on 1024 size blocks: 119873 rc2 cbc's in 2.99s
    Doing rc2 cbc for 3s on 8192 size blocks: 15049 rc2 cbc's in 2.98s
    Doing blowfish cbc for 3s on 16 size blocks: 20898684 blowfish cbc's in 2.99s
    Doing blowfish cbc for 3s on 64 size blocks: 5525448 blowfish cbc's in 2.99s
    Doing blowfish cbc for 3s on 256 size blocks: 1417618 blowfish cbc's in 2.99s
    Doing blowfish cbc for 3s on 1024 size blocks: 359545 blowfish cbc's in 2.99s
    Doing blowfish cbc for 3s on 8192 size blocks: 45001 blowfish cbc's in 2.99s
    Doing cast cbc for 3s on 16 size blocks: 19330340 cast cbc's in 2.99s
    Doing cast cbc for 3s on 64 size blocks: 5021692 cast cbc's in 2.99s
    Doing cast cbc for 3s on 256 size blocks: 1280396 cast cbc's in 2.99s
    Doing cast cbc for 3s on 1024 size blocks: 322416 cast cbc's in 2.99s
    Doing cast cbc for 3s on 8192 size blocks: 39931 cast cbc's in 2.99s
    Doing 512 bit private rsa's for 10s: 185151 512 bit private RSA's in 9.96s
    Doing 512 bit public rsa's for 10s: 2092211 512 bit public RSA's in 9.96s
    Doing 1024 bit private rsa's for 10s: 37579 1024 bit private RSA's in 9.96s
    Doing 1024 bit public rsa's for 10s: 692391 1024 bit public RSA's in 9.97s
    Doing 2048 bit private rsa's for 10s: 5905 2048 bit private RSA's in 9.96s
    Doing 2048 bit public rsa's for 10s: 195384 2048 bit public RSA's in 9.97s
    Doing 4096 bit private rsa's for 10s: 807 4096 bit private RSA's in 9.97s
    Doing 4096 bit public rsa's for 10s: 48601 4096 bit public RSA's in 9.97s
    Doing 512 bit sign dsa's for 10s: 168318 512 bit DSA signs in 9.96s
    Doing 512 bit verify dsa's for 10s: 179503 512 bit DSA verify in 9.96s
    Doing 1024 bit sign dsa's for 10s: 66600 1024 bit DSA signs in 9.97s
    Doing 1024 bit verify dsa's for 10s: 58665 1024 bit DSA verify in 9.96s
    Doing 2048 bit sign dsa's for 10s: 19546 2048 bit DSA signs in 9.96s
    Doing 2048 bit verify dsa's for 10s: 14580 2048 bit DSA verify in 9.90s
    OpenSSL 1.0.0-fips 29 Mar 2010
    built on: Mon Mar  4 22:19:53 UTC 2013
    options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) blowfish(idx                                                                                                                          )
    compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -D                                                                                                                          HAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTI                                                                                                                          FY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=gener                                                                                                                          ic -Wa,--noexecstack -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1                                                                                                                          _ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DWHIRLPOOL_ASM
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    md2               2553.99k     5166.36k     7054.47k     7657.66k     7981.04k
    mdc2                 0.00         0.00         0.00         0.00         0.00
    md4              82452.98k   249224.33k   578639.11k   860069.93k  1012276.40k
    md5              57677.88k   170104.04k   380858.22k   557818.50k   636923.89k
    hmac(md5)        47570.65k   141623.69k   340285.56k   529933.70k   643151.45k
    sha1             68139.61k   189938.62k   407889.59k   575485.26k   659236.08k
    rmd160           38372.91k    93925.46k   170823.41k   211001.19k   228174.69k
    rc4             414470.94k   677932.09k   777925.35k   807279.13k   813925.89k
    des cbc          63824.53k    66972.32k    68379.83k    66468.22k    66988.09k
    des ede3         24875.87k    25135.03k    25816.36k    25506.85k    25485.61k
    idea cbc             0.00         0.00         0.00         0.00         0.00
    seed cbc         73174.21k    73318.74k    73080.35k    72627.97k    73210.18k
    rc2 cbc          40106.31k    40960.15k    41402.65k    41053.50k    41369.60k
    rc5-32/12 cbc        0.00         0.00         0.00         0.00         0.00
    blowfish cbc    111832.42k   118270.46k   121374.65k   123135.14k   123293.71k
    cast cbc        103439.95k   107487.72k   109625.88k   110419.39k   109402.93k
    aes-128 cbc     106792.97k   114606.88k   116852.78k   116686.00k   110537.02k
    aes-192 cbc      90073.73k    94715.12k    97561.94k    97680.70k    97197.12k
    aes-256 cbc      77250.18k    82211.34k    82474.72k    84069.72k    85059.81k
    camellia-128 cbc    96848.70k   147301.03k   168152.44k   169026.10k   172081.32k
    camellia-192 cbc    83620.37k   114773.15k   128376.12k   131668.59k   131493.93k
    camellia-256 cbc    84278.89k   116724.63k   126514.43k   129453.46k   129715.80k
    sha256           40098.16k    88299.47k   147341.96k   176124.92k   186385.81k
    sha512           31380.85k   127006.18k   189683.41k   259975.79k   295144.88k
    whirlpool        24355.44k    52019.95k    87742.59k   105702.57k   112339.99k
    aes-128 ige     106632.34k   109767.52k   110988.84k   112363.97k   112129.03k
    aes-192 ige      91112.22k    90111.38k    92902.91k    92514.80k    93175.10k
    aes-256 ige      77947.31k    79337.95k    79994.43k    79442.13k    80722.71k
                      sign    verify    sign/s verify/s
    rsa  512 bits 0.000054s 0.000005s  18589.5 210061.3
    rsa 1024 bits 0.000265s 0.000014s   3773.0  69447.4
    rsa 2048 bits 0.001687s 0.000051s    592.9  19597.2
    rsa 4096 bits 0.012354s 0.000205s     80.9   4874.7
                      sign    verify    sign/s verify/s
    dsa  512 bits 0.000059s 0.000055s  16899.4  18022.4
    dsa 1024 bits 0.000150s 0.000170s   6680.0   5890.1
    dsa 2048 bits 0.000510s 0.000679s   1962.4   1472.7
    


    Welche SSL Cipher Suite schlagt ihr vor? Ich will ein gutes Scoring erreichen und er soll auch sicher und schnell sein.
     
  2. kkeppler

    kkeppler Eingetragener Provider

    Registriert seit:
    12. Juni 2003
    Beiträge:
    1.895
    Ort:
    Erlangen
    Firmenname:
    Keppler IT GmbH
    Anbieterprofil:
    Klick
    AW: SSL Cipher Suite

    Diese Cipher-Liste kommt mir auf den ersten Blick recht willkürlich vor. Haben Sie hierfür wirklich die einzelnen Algorithmen einzeln bewertet und ausgesucht?
    Persönlich halte ich nicht viel davon, die Cipher-Liste so detailliert zu pflegen, da es eventuell bei Updates des SSL-Stacks (meist OpenSSL) theoretisch zu Problemen kommen kann wenn mal ein Algorithmus nicht mehr unterstützt werden sollte.
    Den o.g. Score erreicht man übrigens auch mit folgender Einstellung:
    Code:
    ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM
    So oder so muss man sich immer bewusst machen, dass man beim Ausschluss einiger älterer (inzwischen als "unsicher" eingestuften) Kombinationen potenziell immer einige Besucher von der eigenen Website aussperrt. Nutzt man SSL "nur" als Kommunikationskanal für eigene Software, kann man viel restriktiver vorgehen also bei einem Onlineshop.

    Danaben sind außer den Algorithmen vor allem einige Servereinstellungen wichtig (Stichwörter: SSL-Renegotiation verbieten, Cipher-Reihenfolge beachten).

    Viele Grüße

    -Klaus Keppler
     
  3. bayliner

    bayliner Member

    Registriert seit:
    6. Januar 2003
    Beiträge:
    154

Diese Seite empfehlen