httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ron Croonenberg <r...@lanl.gov>
Subject Re: [users@httpd] explicitly including other ciphers for use with https
Date Tue, 08 Dec 2015 15:33:00 GMT
Ok,  I want to use encrypted authentication BUT do not want to use any 
encryption of the data at all.

I do have 100% control over all off the IB fabric (and it is not in 
'user space', consider it an appliance'  this will be running on. I am 
not interested in something secure at this point, I am interested in 
performance.



On 12/07/2015 06:06 PM, William A Rowe Jr wrote:
> On Mon, Dec 7, 2015 at 2:39 PM, Ron Croonenberg <ronc@lanl.gov
> <mailto:ronc@lanl.gov>> wrote:
>
>     Hello,
>
>     I a building a storage system, using HTTP/HTTPS for ingesting data.
>
>     I would like to use the authentication over HTTPS, while after that
>     I want no encryption on the data because of peformance.
>
>
> Then you probably don't understand the performance impact of TLS.
>
> TLS is very expensive to negotiate between endpoints working from
> elliptic curve or prime math.  There's no avoiding this initial hit if you
> are going to use TLS whatsoever.
>
> Once the endpoints have completed the handshake, they exchange
> keys for a much simpler and more performant cipher such as the
> AES-256 cipher (for faster performance, you could use AES-128
> depending on the application).
>
> You will measure very little benefit dropping TLS once the handshake
> and your auth step is completed.
>
>     I think using  null ciphers, like eNULL would work, but how do I
>     change the configurations is httpd.conf/ssl.conf ?
>
>     The NULL cipher keys are in openssl,  I just want to use them.
>
>
> Only if you have 100% faith in the end-to-end topography of your
> network. That pretty much restricts you to localhost:. Otherwise,
> any man-in-the-middle can observe the data in transit and alter
> the data passed between your client and backend storage server,
> which makes the entire point of authenticating rather silly, don't
> you think?
>
>
>
> .
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message