Jump to content
Not connected, Your IP: 3.15.203.242
AirVPN
go558a83nk

stunnel cipher options for CPU conservation

By go558a83nk, ... in General & Suggestions

Recommended Posts

go558a83nk    362

go558a83nk
Posted ...

I'm running stunnel 5.14 with openssl 1.0.2a on my router.  It seems the cipher that's negotiated is probably a little stronger than it needs to be (ECDHE-RSA-AES256-GCM-SHA384).  The config, AirVPN*.ssl, only has a NO_SSLv2 option which is fine, of course.  But, are there any other options I can input that will get stunnel to negotiate a cipher suite that's less CPU intensive?

 

thanks for the help

Share this post

Link to post

go558a83nk    362

go558a83nk
Posted ...

Thanks. I'd love to hear from staff an answer to my actual question.   I can pull 50mbit/s with my setup but just trying to get every bit I can.

Share this post

Link to post

Staff    9972

Staff
Posted ...

Hello!

 

Since our servers will accept a variety of ciphers for SSL this is possible by configuring stunnel. However, configuring parameters for stunnel is currently not implemented in Eddie. Please see for example:

https://www.stunnel.org/pipermail/stunnel-users/2013-February/004112.html

 

Anyway, you probably don't need to bother about that. Nowadays computer CPUs are so powerful that they are not loaded at capacity by the current stunnel and OpenVPN ciphers you're using (well, it also depends on how much load they have from other tasks...).

 

Kind regards

Share this post

Link to post

go558a83nk    362

go558a83nk
Posted ...

Hello!

 

Since our servers will accept a variety of ciphers for SSL this is possible by configuring stunnel. However, configuring parameters for stunnel is currently not implemented in Eddie. Please see for example:

https://www.stunnel.org/pipermail/stunnel-users/2013-February/004112.html

 

Anyway, you probably don't need to bother about that. Nowadays computer CPUs are so powerful that they are not loaded at capacity by the current stunnel and OpenVPN ciphers you're using (well, it also depends on how much load they have from other tasks...).

 

Kind regards

 

Please re-read my post.  I'm using stunnel on my router.

 

edit: anyway, I got it.  I just added a line to the ssl file "ciphers = DHE-RSA-AES128-SHA256" and it works.  noticibly less CPU usage and still a TLS1.2 cipher.

Share this post

Link to post

Staff    9972

Staff
Posted ...

 

Please re-read my post.  I'm using stunnel on my router. :)

 

edit: anyway, I got it.  I just added a line to the ssl file "ciphers = DHE-RSA-AES128-SHA256" and it works.  noticibly less CPU usage and still a TLS1.2 cipher.

 

Ok, great! What is your firmware? Did you compile stunnel by yourself for your router or is it an already available version?

 

Kind regards

Share this post

Link to post

go558a83nk    362

go558a83nk
Posted ...

 

 

Please re-read my post.  I'm using stunnel on my router.

 

edit: anyway, I got it.  I just added a line to the ssl file "ciphers = DHE-RSA-AES128-SHA256" and it works.  noticibly less CPU usage and still a TLS1.2 cipher.

 

Ok, great! What is your firmware? Did you compile stunnel by yourself for your router or is it an already available version?

 

Kind regards

 

merlin asus 378.51 on AC68 with entware-arm installed.  stunnel is available in the entware-arm repository.

Staff reacted to this

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Go To Topic Listing
×
×
  • Create New...