-   Linux - Security (
-   -   How can you choose your preferred ciphers? (

markseger 03-17-2013 08:15 AM

How can you choose your preferred ciphers?
Or can't you?

I'm looking at a couple of different tools running on the same box that upload files using SSL, one written in java and the other in python. The java tool runs faster than the python one and since all they do is I/O I'd expect them to upload at about the same speed so I'm puzzled. When I look at a network trace I can see one is negotiating a different ciper than the other and am hypothesizing the encryption overhead might be a contributing factor and would like to try telling the python tool to use the same ciper. If it still runs slower than I can at least eliminate the cipher as the reason.

My question is, is there some easy way to do this that doesn't involve code changes? Perhaps modifying a config file to change the orders of the preferred ciphers or better still setting an env variable?


sundialsvcs 03-17-2013 09:44 AM

I suggest that you let the SSL cipher suite do its own thing. Be sure to keep it up-to-date, but let it continue to do what it's designed to do.

Realistically speaking, the choice of cipher isn't the primary factor in achieving information security: key-management is. In a modern telecommunication cipher system, that concept occurs on two distinct levels.

First, there's the high level concerns of "identification," "message integrity," and probably "concealment." All of the modern cipher systems in use today have that covered. You do have reason to trust that you're talking to the right person and that messages are being received as-tendered.

Second, there's the low-level protocol concerns of handling the negotiation of cipher algorithms and the moment-to-moment maintenance of randomly generated keys for use by those ciphers. Throughout the course of any conversation between two parties, new keys and even algorithms are constantly being re-negotiated so that even if a particular low-level key were decrypted, in a few moments it would change. (Alice and Bob wouldn't know or care; Eve would, but too-bad for Eve.) Once again, that's all covered.

Use cipher systems to maintain a secure tunnel for your communications to pass through ... and, to quote the old Greyhound Bus commercials, "leave the driving to us."

markseger 03-18-2013 07:33 AM

Maybe I should have been a little clearer - this question actually has little to do with security and everything to do with performance. I've seen numerous posts on the overhead of different ciphers and I don't want the one SSL is selecting for me. SO back to the original question, how can I change it.

I have seen a number of references on how to change it client-side for specific applications which have obviously implemented this capability and exposed it to their users, I just want to know if I can do the same thing but without having to hack my client OR modify the server since there are times you may want stronger ciphers.


linosaurusroot 03-18-2013 07:41 AM


markseger 03-18-2013 10:00 AM

Thanks for the pointer, and I understand, but it still doesn't answer my question. Even if I stay away from the ciphers that posting talks about, some are still more heavyweight than others and all I want to be able to do is have the option of preferring some to others.

All times are GMT -5. The time now is 12:16 PM.