go558a83nk 371 Posted 05/18/2015 I'm running stunnel 5.14 with openssl 1.0.2a on my router. It seems the cipher that's negotiated is probably a little stronger than it needs to be (ECDHE-RSA-AES256-GCM-SHA384). The config, AirVPN*.ssl, only has a NO_SSLv2 option which is fine, of course. But, are there any other options I can input that will get stunnel to negotiate a cipher suite that's less CPU intensive? thanks for the help Quote Share this post Link to post
zhang888 1067 Posted 05/18/2015 If you use it on a small home router, use SSL mode only in case it is really required (some ISPs).What performance do you get with and without SSL? Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
go558a83nk 371 Posted 05/19/2015 Thanks. I'd love to hear from staff an answer to my actual question. I can pull 50mbit/s with my setup but just trying to get every bit I can. Quote Share this post Link to post
Staff 10118 Posted 05/19/2015 Hello! Since our servers will accept a variety of ciphers for SSL this is possible by configuring stunnel. However, configuring parameters for stunnel is currently not implemented in Eddie. Please see for example:https://www.stunnel.org/pipermail/stunnel-users/2013-February/004112.html Anyway, you probably don't need to bother about that. Nowadays computer CPUs are so powerful that they are not loaded at capacity by the current stunnel and OpenVPN ciphers you're using (well, it also depends on how much load they have from other tasks...). Kind regards Quote Share this post Link to post
go558a83nk 371 Posted 05/19/2015 On 5/19/2015 at 12:28 AM, Staff said: Hello! Since our servers will accept a variety of ciphers for SSL this is possible by configuring stunnel. However, configuring parameters for stunnel is currently not implemented in Eddie. Please see for example:https://www.stunnel.org/pipermail/stunnel-users/2013-February/004112.html Anyway, you probably don't need to bother about that. Nowadays computer CPUs are so powerful that they are not loaded at capacity by the current stunnel and OpenVPN ciphers you're using (well, it also depends on how much load they have from other tasks...). Kind regards Please re-read my post. I'm using stunnel on my router. edit: anyway, I got it. I just added a line to the ssl file "ciphers = DHE-RSA-AES128-SHA256" and it works. noticibly less CPU usage and still a TLS1.2 cipher. Quote Share this post Link to post
Staff 10118 Posted 05/19/2015 On 5/19/2015 at 1:21 AM, go558a83nk said: Please re-read my post. I'm using stunnel on my router. edit: anyway, I got it. I just added a line to the ssl file "ciphers = DHE-RSA-AES128-SHA256" and it works. noticibly less CPU usage and still a TLS1.2 cipher. Ok, great! What is your firmware? Did you compile stunnel by yourself for your router or is it an already available version? Kind regards Quote Share this post Link to post
go558a83nk 371 Posted 05/19/2015 On 5/19/2015 at 9:55 AM, Staff said: On 5/19/2015 at 1:21 AM, go558a83nk said: Please re-read my post. I'm using stunnel on my router. edit: anyway, I got it. I just added a line to the ssl file "ciphers = DHE-RSA-AES128-SHA256" and it works. noticibly less CPU usage and still a TLS1.2 cipher. Ok, great! What is your firmware? Did you compile stunnel by yourself for your router or is it an already available version? Kind regards merlin asus 378.51 on AC68 with entware-arm installed. stunnel is available in the entware-arm repository. 1 Staff reacted to this Quote Share this post Link to post
Not connected, Your IP: 18.221.200.48
Online: 29253 users - 364267 Mbit/s total BW