Hacker News new | past | comments | ask | show | jobs | submit login

Unfortunately, though, plain DHE is really slow, so it's pretty hardware-intensive to do it at scale, and to keep latency manageable. Google made a big deal out of moving to ECDHE the year before last, and part of that was that it allowed them to get perfect forward secrecy without sacrificing performance.



This was _the_ thing I was looking forward to most in the release of Debian 7. A sufficiently recent version of OpenSSL to do ECDHE.

Plain DHE is _killing_ our first load times...


We just went through some similar stuff, having to ditch Amazon Linux for our SSL termination machine because Red Hat strips out all elliptic-curve crypto. It might also be worth investigating whether or not the Debian 7 OpenSSL build includes the optimized 64-bit ECDHE implementation contributed by Google, which wasn't enabled in Ubuntu's build until last month.


Yer welcome =)

I pestered peeps till they turned that flag on. As you said, it's now on for Ubuntu.


Belated thanks!


I got this included into Ubuntu 12.04 and later. You might want to consider running Ubuntu just as a termination host if you are really desperate.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: