Fedora/Redhat and perfect forward secrecy

Paul Wouters paul at nohats.ca
Mon Sep 9 16:12:27 UTC 2013

On Mon, 9 Sep 2013, Reindl Harald wrote:

>> I don't get it, either
> google "dhe versus ecdhe performance"
> http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
>>> Let’s focus on the server part. Enabling DHE-RSA-AES128-SHA cipher suite
>>> hinders the performance of TLS handshakes by a factor of 3. Using
>>> ECDHE-RSA-AES128-SHA instead only adds an overhead of 27%. However, if we
>>> use the 64bit optimized version, the cost is only 15%
> is that enough to understand why nobody on this world is using DHE and so your
> "Current Fedora supports perfect forward secrecy just fine" is *far* away
> from the reality?

Not for me. I thought TLS was latency bound. The above "factor 3" does
not state whether TLS client/server were in the same LAN (or even VMs on
the same host).

For the client, clearly CPU is not the limiting factor. For regular TLS
servers, this should also not matter. For fully loaded TLS servers or
TLS accelerators, the factor 3 on the CPU load will matter, but we're
talking clusters of machines here. Dropping in a few extra machines
shouldn't be that hard to give your patent-encumbered endusers PFS.

> it does not help much support forward secrecy in a way *nobody* else on this
> planet is supporting it and so you repsonse below is uneducated - period

Ignoring the obvious legal (and now potential backdoor) problems with
ECC is also not very educated.


> -------- Original-Nachricht --------
> Betreff: Re: Fedora/Redhat and perfect forward secrecy
> Datum: Mon, 26 Aug 2013 11:07:29 +0200
> Von: Florian Weimer <fweimer at redhat.com>
> An: Development discussions related to Fedora <devel at lists.fedoraproject.org>
> Kopie (CC): Reindl Harald <h.reindl at thelounge.net>, Mailing-List fedora-users <users at lists.fedoraproject.org>
> On 08/24/2013 11:38 AM, Reindl Harald wrote:
>> https://bugzilla.redhat.com/show_bug.cgi?id=319901
>> looks like Redhat based systems are the only remaining
>> which does not support EECDHE which is a shame these
>> days in context of PRISM and more and more Ciphers
>> are going to be unuseable (BEAST/CRIME weakness)
> Current Fedora supports perfect forward secrecy just fine.  It's just
> that web server operators routinely refuse to offer it.  (The situation
> is different with mail servers.)  Operational benefits look rather
> marginal to me.  It may discourage interested parties from requesting
> server private keys, but even that isn't assured.

More information about the devel mailing list