[pve-devel] central cipher config
Dietmar Maurer
dietmar at proxmox.com
Tue Oct 30 10:46:17 CET 2012
AFAIK, arcfour is considered insecure.
IMHO we need a secure chipher for migration. Other tasks like the VNC proxy can use insecure cipher.
> -----Original Message-----
> From: Stefan Priebe - Profihost AG [mailto:s.priebe at profihost.ag]
> Sent: Dienstag, 30. Oktober 2012 10:37
> To: Dietmar Maurer
> Cc: pve-devel at pve.proxmox.com
> Subject: Re: [pve-devel] central cipher config
>
> Am 30.10.2012 10:31, schrieb Dietmar Maurer:
> >> But right now blowfish is hardcoded in proxmox - i don't think that
> >> this is a good idea.
> >
> > That is the fastest cipher available (in squeeze).
>
> Not to me.
>
> Without AES-NI (default squeeze openssl):
> arcfour is the fastest.
>
> With AES-NI / patches openssl:
> aes128-cbc is the fastest.
>
> Simply tested through 10GBE:
>
> #!/bin/bash
>
> for cipher in aes128-ctr aes192-ctr aes256-ctr arcfour256 arcfour128 aes128-
> cbc 3des-cbc blowfish-cbc cast128-cbc aes192-cbc aes256-cbc arcfour ; do
> echo "$cipher"
> for try in 1 2 ; do
> scp -c "$cipher" test.tar root at 10.255.0.24:/tmp/
> ssh root at 10.255.0.24 'rm /tmp/test.tar'
> done
> done
>
>
> Stefan
More information about the pve-devel
mailing list