Daniel Kinzler daniel@brightbyte.de wrote:
hi all!
In the hope i'm not clubbing a diseased donkey, i'd like to share an idea i ran across: we could use the RC4-128 cypher for secure.wikimedia.org, instead of AES256. RC4 is reportedly a lot faster (3 to 4 times the throughput). Since CPU capacity for encryption has been mentioned as one of the problems with making secure.wikimedia.org reliable, I thought it might help.
% openssl s_client -connect secure.wikimedia.org:443 -CApath /usr/local/share/certs/ -cipher RC4-SHA
(...)
New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: 23D5071FD392363CB3215134418219F083866583174FC2809795C4AB373F4EDC (...)
seems to work for me.
If you want to give up benefts brought to you by the Diffie-Hellman ephemeral key exchange, anyone may turn it off in their browser. In Seamonkey I have at hand it's going into "about:config", and setting a whole bunch of modes in "security.ssl3" to "false".
Not sure if this should be done server-side, though. Unless there is a dire need and we can't support more sessions than we already do.
//Marcin