Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm looking at a couple of different tools running on the same box that upload files using SSL, one written in java and the other in python. The java tool runs faster than the python one and since all they do is I/O I'd expect them to upload at about the same speed so I'm puzzled. When I look at a network trace I can see one is negotiating a different ciper than the other and am hypothesizing the encryption overhead might be a contributing factor and would like to try telling the python tool to use the same ciper. If it still runs slower than I can at least eliminate the cipher as the reason.
My question is, is there some easy way to do this that doesn't involve code changes? Perhaps modifying a config file to change the orders of the preferred ciphers or better still setting an env variable?
I suggest that you let the SSL cipher suite do its own thing. Be sure to keep it up-to-date, but let it continue to do what it's designed to do.
Realistically speaking, the choice of cipher isn't the primary factor in achieving information security: key-management is. In a modern telecommunication cipher system, that concept occurs on two distinct levels.
First, there's the high level concerns of "identification," "message integrity," and probably "concealment." All of the modern cipher systems in use today have that covered. You do have reason to trust that you're talking to the right person and that messages are being received as-tendered.
Second, there's the low-level protocol concerns of handling the negotiation of cipher algorithms and the moment-to-moment maintenance of randomly generated keys for use by those ciphers. Throughout the course of any conversation between two parties, new keys and even algorithms are constantly being re-negotiated so that even if a particular low-level key were decrypted, in a few moments it would change. (Alice and Bob wouldn't know or care; Eve would, but too-bad for Eve.) Once again, that's all covered.
Use cipher systems to maintain a secure tunnel for your communications to pass through ... and, to quote the old Greyhound Bus commercials, "leave the driving to us."
Maybe I should have been a little clearer - this question actually has little to do with security and everything to do with performance. I've seen numerous posts on the overhead of different ciphers and I don't want the one SSL is selecting for me. SO back to the original question, how can I change it.
I have seen a number of references on how to change it client-side for specific applications which have obviously implemented this capability and exposed it to their users, I just want to know if I can do the same thing but without having to hack my client OR modify the server since there are times you may want stronger ciphers.
Thanks for the pointer, and I understand, but it still doesn't answer my question. Even if I stay away from the ciphers that posting talks about, some are still more heavyweight than others and all I want to be able to do is have the option of preferring some to others.
-mark
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.