LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-17-2013, 08:15 AM   #1
markseger
Member
 
Registered: Jul 2003
Posts: 241

Rep: Reputation: 25
How can you choose your preferred ciphers?


Or can't you?

I'm looking at a couple of different tools running on the same box that upload files using SSL, one written in java and the other in python. The java tool runs faster than the python one and since all they do is I/O I'd expect them to upload at about the same speed so I'm puzzled. When I look at a network trace I can see one is negotiating a different ciper than the other and am hypothesizing the encryption overhead might be a contributing factor and would like to try telling the python tool to use the same ciper. If it still runs slower than I can at least eliminate the cipher as the reason.

My question is, is there some easy way to do this that doesn't involve code changes? Perhaps modifying a config file to change the orders of the preferred ciphers or better still setting an env variable?

-mark
 
Old 03-17-2013, 09:44 AM   #2
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,401

Rep: Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119
I suggest that you let the SSL cipher suite do its own thing. Be sure to keep it up-to-date, but let it continue to do what it's designed to do.

Realistically speaking, the choice of cipher isn't the primary factor in achieving information security: key-management is. In a modern telecommunication cipher system, that concept occurs on two distinct levels.

First, there's the high level concerns of "identification," "message integrity," and probably "concealment." All of the modern cipher systems in use today have that covered. You do have reason to trust that you're talking to the right person and that messages are being received as-tendered.

Second, there's the low-level protocol concerns of handling the negotiation of cipher algorithms and the moment-to-moment maintenance of randomly generated keys for use by those ciphers. Throughout the course of any conversation between two parties, new keys and even algorithms are constantly being re-negotiated so that even if a particular low-level key were decrypted, in a few moments it would change. (Alice and Bob wouldn't know or care; Eve would, but too-bad for Eve.) Once again, that's all covered.

Use cipher systems to maintain a secure tunnel for your communications to pass through ... and, to quote the old Greyhound Bus commercials, "leave the driving to us."
 
Old 03-18-2013, 07:33 AM   #3
markseger
Member
 
Registered: Jul 2003
Posts: 241

Original Poster
Rep: Reputation: 25
Maybe I should have been a little clearer - this question actually has little to do with security and everything to do with performance. I've seen numerous posts on the overhead of different ciphers and I don't want the one SSL is selecting for me. SO back to the original question, how can I change it.

I have seen a number of references on how to change it client-side for specific applications which have obviously implemented this capability and exposed it to their users, I just want to know if I can do the same thing but without having to hack my client OR modify the server since there are times you may want stronger ciphers.

-mark
 
Old 03-18-2013, 07:41 AM   #4
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 808
Blog Entries: 2

Rep: Reputation: 203Reputation: 203Reputation: 203
http://blog.cryptographyengineering....broken-in.html
 
Old 03-18-2013, 10:00 AM   #5
markseger
Member
 
Registered: Jul 2003
Posts: 241

Original Poster
Rep: Reputation: 25
Thanks for the pointer, and I understand, but it still doesn't answer my question. Even if I stay away from the ciphers that posting talks about, some are still more heavyweight than others and all I want to be able to do is have the option of preferring some to others.
-mark
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Adding new ciphers to linux , can it be done? sordfish Programming 2 02-22-2013 08:12 AM
set default ciphers in .curlrc Пожарный Linux - General 1 08-08-2012 07:18 PM
Specifying ciphers for SSH Mark_667 Solaris / OpenSolaris 4 11-01-2011 05:16 AM
SSH - Problem with ciphers HaPagan Linux - Security 7 11-28-2005 05:49 AM


All times are GMT -5. The time now is 06:44 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration