Month: October 2014

Halloween special

Since the Haloween is the time of scary stories, let me share with you some preliminary results of the new cipherscan results.

I’ve extended the tool to check different grades of TLS ClientHello intolerance, like TLS version, size of client hello and the results are scary indeed.

Over 3% of servers just in Alexa top 2000 sites are not RFC compliant (can’t process big ClientHello, ClientHello with extensions they don’t understand, ClientHello with high protocol version, like for TLSv1.2 or with cipher suites they don’t know).

Two servers in this set are strictly TLSv1.2 intolerant, that means they use TLS implementations that can’t handle new protocol version 6 years after its release!

Those are the servers which force web browsers to use the fallback mechanism or limit their cipher suite set.

47% have SSLv3 still enabled, making them possibly vulnerable to POODLE (if they support ciphers besides RC4 in SSLv3).

Statistics

The new section added to statistics is “Required fallbacks”. It reports what kind of client connection attempts are problematic to servers the scan was still able to connect to.

The set of “big” hellos (big-SSLv3, big-TLSv1.0, big-TLSv1.1, big-TLSv1.2) are “Christmas tree packet” like connection attempts – where every option, extension and cipher suite supported by the OpenSSL tool was enabled.

In case the big-TLSv1.2 test was unsuccessful, the tool runs additional tests: “no-npn-alpn-status” where it queries the server again with a TLSv1.2 packet, but drops the NPN, ALPN and certificate status request (OCSP staple) extensions. “small-TLSv1.2” and “small-TLSv1.0” are reduced size packets, that still include SNI, elliptic curves (albeit limited to the P-256, P-384 and P-521 curves) and signature algorithms, but offer only limited set of ciphers, modelled after Firefox ClientHello. All those are from connections that were tolerant to at least one of the “big-” hello’s.

Then there are “inconclusive ” results, which show servers which the tool was able to connect to only using at least one of the “no-” or “small-” fallbacks but not using the “big-“. Such servers are not included in the general stats, but they do exclude servers which didn’t provide valid certificates.

SSL/TLS survey of 1693 websites from Alexa's top 2 thousand
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      44        2.5989
SSL2 Only                 4         0.2363
SSL3                      801       47.3125
SSL3 Only                 26        1.5357
SSL3 or TLS1 Only         295       17.4247
TLS1                      1663      98.228
TLS1 Only                 74        4.3709
TLS1.1                    1265      74.7194
TLS1.2                    1325      78.2634
TLS1.2, 1.0 but not 1.1   89        5.2569

Required fallbacks                       Count     Percent
----------------------------------------+---------+-------
big-SSLv3 Only tolerant                  22        1.2995
big-SSLv3 intolerant                     892       52.6875
big-SSLv3 tolerant                       801       47.3125
big-TLSv1.0 intolerant                   26        1.5357
big-TLSv1.0 or big-SSLv3 Only tolerant   2         0.1181
big-TLSv1.0 tolerant                     1667      98.4643
big-TLSv1.1 intolerant                   29        1.7129
big-TLSv1.1 tolerant                     1664      98.2871
big-TLSv1.2 intolerant                   49        2.8943
big-TLSv1.2 tolerant                     1644      97.1057
inconclusive small-TLSv1.0               7         0.4135
inconclusive small-TLSv1.2               7         0.4135
no-npn-alpn-status intolerant            49        2.8943
small-TLSv1.0 tolerant                   49        2.8943
small-TLSv1.2 intolerant                 2         0.1181
small-TLSv1.2 tolerant                   47        2.7761

October 2014 results – big changes

While last month’s results were not very interesting, this month is anything but.

But before we go into results, there were few small changes to how the statistics are reported. First difference is that the “x:FF 29 RC4 Preferred” now includes sites that prefer RC4 ciphers independent of other ciphers. Second is the addition of new item “Insecure”, which is the sum total of sites that use any cipher with a “z:” state, it does not include sites that also include IDEA or SEED ciphers. Ciphersuites that use those two ciphers are now prefixed with “y:”, as they are iffy in the sense that they haven’t been widely analysed, but otherwise don’t have known weaknesses.

Since the last scan two big things happened. POODLE attack that has shown SSLv3 to be completely insecure in CBC mode and Cloudflare deploying their Universal SSL.The former should cause far less sites to have SSLv3 enabled while the former should show more sites using ECDSA certificates and more TLS enabled sites in general.

Cipher suite results

This time ’round, the number of TLS enabled servers has increased by over 33 thousand (7.6%) a much bigger amount than previous months.

Usage of AES-GCM has increased by 5.5% to 48.3%. Surprisingly the percentage of CAMELLIA enabled servers has fallen, but it’s caused by the overall increase of number of TLS enabled servers, not by fewer servers supporting this cipher.

As far as bad choices go, sites that use completely broken ciphers (AECDH, single DES, export grade, etc.) has fallen by 2.6% to 20.3%.

RC4 is still a problem, percent of servers that support it has fallen by just 2%. Percentage of servers that don’t support anything else has decreased by just 0.13% to 0.82%. It’s a biggest drop in months, but it still makes it impossible for browser vendors to drop it completely.  Similar fate share servers that prefer RC4 where their numbers fallen by just 2.28% to 15.5% of total. The good news is that it’s a reversal of a few months negative trend.

Misconfiguration that causes AECDH ciphers to be enabled is still common, just 0.6% fewer servers support it compared to last month, bringing their numbers to around 3.2%.

Cipher ordering has shown a big shift this time, just over 60% server now use their order instead of client side order, a change of over 5%!

There is also a rather big up-tick in fraction of servers that don’t enable the RSA key exchange, from less than a 1% to nearly 4% now.

More servers also started preferring Forward Secrecy: an increase of 3.8% to 68.6%. Also more servers support PFS now: 2.2% more for a total of 82%.

Server certificates

Another significant change are the certificates used by servers, while previously just 4 servers did use certificates signed by a ECDSA CA, now there are nearly 21 thousands of them, giving a total of 4.8% of servers using them. The servers that use RSA CAs have also seen a big change, nearly 4% more servers now have their certificates signed with SHA256, to a total of 20.5%.

The vast majority of those new ECDSA certificates use P-256 curve, a total of 6.6%, creating an increase of 4.5%.

Protocols

Obviously SSLv3 support has taken a blow, its use has fallen by over 26%, bringing its support to 69.5% (far too small change given the severity of POODLE). It looks like many administrators also have taken the time to actually update the cryptographic libraries they use, as TLS1.2 support has increased by 4.5% to a total of 64%.

Trust chains

With the introduction of ECDSA CAs, we can finally see a significant percentage of servers reach 128 bit level of security. We can also see that all of intermediate ECDSA CAs have been signed with SHA384. No big changes besides that.

Detailed cipher suite statistics

SSL/TLS survey of 435987 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)


Supported Ciphers         Count     Percent
-------------------------+---------+-------
3DES                      377229    86.523
3DES Only                 168       0.0385
AES                       409388    93.8991
AES Only                  2002      0.4592
AES-CBC Only              877       0.2012
AES-GCM                   210554    48.2936
AES-GCM Only              17        0.0039
CAMELLIA                  171200    39.2672
CHACHA20                  14611     3.3512
Insecure                  88343     20.2628
RC4                       375776    86.1897
RC4 Only                  3595      0.8246
RC4 Preferred             67695     15.5268
RC4 forced in TLS1.1+     47943     10.9964
x:FF 29 RC4 Only          5814      1.3335
x:FF 29 RC4 Preferred     79458     18.2249
x:FF 29 incompatible      164       0.0376
y:DHE-RSA-SEED-SHA        80620     18.4914
y:IDEA-CBC-MD5            3756      0.8615
y:IDEA-CBC-SHA            67532     15.4895
y:SEED-SHA                86784     19.9052
z:ADH-AES128-GCM-SHA256   338       0.0775
z:ADH-AES128-SHA          1197      0.2745
z:ADH-AES128-SHA256       317       0.0727
z:ADH-AES256-GCM-SHA384   338       0.0775
z:ADH-AES256-SHA          1202      0.2757
z:ADH-AES256-SHA256       317       0.0727
z:ADH-CAMELLIA128-SHA     559       0.1282
z:ADH-CAMELLIA256-SHA     567       0.13
z:ADH-DES-CBC-SHA         530       0.1216
z:ADH-DES-CBC3-SHA        1250      0.2867
z:ADH-RC4-MD5             1059      0.2429
z:ADH-SEED-SHA            393       0.0901
z:AECDH-AES128-SHA        14245     3.2673
z:AECDH-AES256-SHA        14255     3.2696
z:AECDH-DES-CBC3-SHA      14216     3.2606
z:AECDH-NULL-SHA          30        0.0069
z:AECDH-RC4-SHA           13277     3.0453
z:DES-CBC-MD5             24072     5.5213
z:DES-CBC-SHA             66848     15.3326
z:ECDHE-RSA-NULL-SHA      36        0.0083
z:EDH-RSA-DES-CBC-SHA     58599     13.4405
z:EXP-ADH-DES-CBC-SHA     435       0.0998
z:EXP-ADH-RC4-MD5         438       0.1005
z:EXP-DES-CBC-SHA         52036     11.9352
z:EXP-EDH-RSA-DES-CBC-SHA 40390     9.264
z:EXP-RC2-CBC-MD5         56308     12.9151
z:NULL-MD5                359       0.0823
z:NULL-SHA                361       0.0828
z:NULL-SHA256             19        0.0044
z:RC2-CBC-MD5             28014     6.4254

Cipher ordering           Count     Percent
-------------------------+---------+-------
Client side               170342    39.0704
Server side               265645    60.9296

FF 29 selected ciphers        Count    Percent
-----------------------------+---------+------
AES128-SHA                     41722     9.5696
AES256-SHA                     25362     5.8171
CAMELLIA128-SHA                132       0.0303
CAMELLIA256-SHA                45        0.0103
DES-CBC3-SHA                   1046      0.2399
DHE-RSA-AES128-SHA             98725     22.644
DHE-RSA-AES256-SHA             14490     3.3235
DHE-RSA-CAMELLIA128-SHA        34        0.0078
DHE-RSA-CAMELLIA256-SHA        540       0.1239
ECDHE-ECDSA-AES128-GCM-SHA256  28993     6.65
ECDHE-ECDSA-AES128-SHA         33        0.0076
ECDHE-ECDSA-AES256-SHA         1         0.0002
ECDHE-RSA-AES128-GCM-SHA256    115469    26.4845
ECDHE-RSA-AES128-SHA           3024      0.6936
ECDHE-RSA-AES256-SHA           26483     6.0743
ECDHE-RSA-DES-CBC3-SHA         41        0.0094
ECDHE-RSA-RC4-SHA              22083     5.0651
EDH-RSA-DES-CBC3-SHA           234       0.0537
RC4-MD5                        14117     3.2379
RC4-SHA                        43249     9.9198
x:DHE                          114023    26.1528
x:ECDHE                        196127    44.9846
x:kRSA                         125673    28.8249

Supported Handshakes      Count     Percent
-------------------------+---------+-------
ADH                       1316      0.3018
AECDH                     14284     3.2762
DHE                       211473    48.5044
ECDHE                     234954    53.8901
ECDHE and DHE             88609     20.3238
RSA                       418706    96.0363

Supported PFS             Count     Percent  PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits               191816    43.9958  90.7047
DH,1536bits               1         0.0002   0.0005
DH,2048bits               17701     4.06     8.3703
DH,2226bits               1         0.0002   0.0005
DH,2236bits               2         0.0005   0.0009
DH,2430bits               1         0.0002   0.0005
DH,3072bits               9         0.0021   0.0043
DH,3247bits               1         0.0002   0.0005
DH,3248bits               2         0.0005   0.0009
DH,4096bits               1006      0.2307   0.4757
DH,512bits                40546     9.2998   19.1731
DH,768bits                779       0.1787   0.3684
DH,8192bits               1         0.0002   0.0005
ECDH,B-163,163bits        15        0.0034   0.0064
ECDH,B-571,570bits        456       0.1046   0.1941
ECDH,P-224,224bits        6         0.0014   0.0026
ECDH,P-256,256bits        233089    53.4624  99.2062
ECDH,P-384,384bits        675       0.1548   0.2873
ECDH,P-521,521bits        1259      0.2888   0.5358
Prefer DH,1024bits        111225    25.5111  52.5954
Prefer DH,1536bits        1         0.0002   0.0005
Prefer DH,2048bits        1875      0.4301   0.8866
Prefer DH,2236bits        1         0.0002   0.0005
Prefer DH,3072bits        1         0.0002   0.0005
Prefer DH,4096bits        61        0.014    0.0288
Prefer DH,512bits         6         0.0014   0.0028
Prefer DH,768bits         443       0.1016   0.2095
Prefer ECDH,B-163,163bits 15        0.0034   0.0064
Prefer ECDH,B-571,570bits 357       0.0819   0.1519
Prefer ECDH,P-224,224bits 4         0.0009   0.0017
Prefer ECDH,P-256,256bits 183233    42.0272  77.9868
Prefer ECDH,P-384,384bits 616       0.1413   0.2622
Prefer ECDH,P-521,521bits 1191      0.2732   0.5069
Prefer PFS                299029    68.5867  0
Support PFS               357818    82.0708  0

TLS session ticket hint   Count     Percent 
-------------------------+---------+--------
3                         2         0.0005   
3 only                    2         0.0005   
5                         1         0.0002   
5 only                    1         0.0002   
10                        1         0.0002   
10 only                   1         0.0002   
30                        10        0.0023   
30 only                   3         0.0007   
60                        57        0.0131   
60 only                   50        0.0115   
64                        1         0.0002   
100                       17        0.0039   
100 only                  17        0.0039   
120                       14        0.0032   
120 only                  14        0.0032   
128                       2         0.0005   
128 only                  2         0.0005   
180                       27        0.0062   
180 only                  27        0.0062   
240                       3         0.0007   
240 only                  3         0.0007   
300                       168875    38.734   
300 only                  151039    34.643   
360                       1         0.0002   
360 only                  1         0.0002   
400                       1         0.0002   
400 only                  1         0.0002   
420                       22        0.005    
420 only                  13        0.003    
480                       10        0.0023   
480 only                  10        0.0023   
600                       9358      2.1464   
600 only                  9103      2.0879   
900                       289       0.0663   
900 only                  266       0.061    
960                       2         0.0005   
960 only                  2         0.0005   
1000                      1         0.0002   
1000 only                 1         0.0002   
1200                      64        0.0147   
1200 only                 61        0.014    
1500                      9         0.0021   
1500 only                 8         0.0018   
1800                      211       0.0484   
1800 only                 204       0.0468   
2100                      1         0.0002   
2100 only                 1         0.0002   
2400                      1         0.0002   
2400 only                 1         0.0002   
2700                      5         0.0011   
2700 only                 5         0.0011   
3000                      11        0.0025   
3000 only                 11        0.0025   
3600                      296       0.0679   
3600 only                 281       0.0645   
5400                      2         0.0005   
7200                      11402     2.6152   
7200 only                 8697      1.9948   
10800                     15        0.0034   
10800 only                8         0.0018   
14400                     929       0.2131   
14400 only                927       0.2126   
21600                     723       0.1658   
21600 only                722       0.1656   
28800                     8         0.0018   
28800 only                8         0.0018   
36000                     409       0.0938   
36000 only                408       0.0936   
43200                     5170      1.1858   
43200 only                5170      1.1858   
64800                     37708     8.6489   
64800 only                33313     7.6408   
72000                     8         0.0018   
72000 only                8         0.0018   
86000                     27        0.0062   
86000 only                23        0.0053   
86400                     168       0.0385   
86400 only                167       0.0383   
100800                    14357     3.293    
100800 only               17        0.0039   
115200                    1         0.0002   
115200 only               1         0.0002   
129600                    11        0.0025   
129600 only               11        0.0025   
604800                    1         0.0002   
604800 only               1         0.0002   
864000                    4         0.0009   
864000 only               4         0.0009   
None                      225373    51.6926  
None only                 185753    42.6052  

Certificate sig alg     Count     Percent 
-------------------------+---------+--------
None                      15401     3.5324   
ecdsa-with-SHA256         20950     4.8052   
sha1WithRSAEncryption     330148    75.7243  
sha256WithRSAEncryption   89341     20.4917  
sha512WithRSAEncryption   1         0.0002   

Certificate key size    Count     Percent 
-------------------------+---------+--------
ECDSA 256                 29029     6.6582   
ECDSA 384                 2         0.0005   
ECDSA 521                 1         0.0002   
RSA 1024                  1672      0.3835   
RSA 2028                  1         0.0002   
RSA 2047                  2         0.0005   
RSA 2048                  403610    92.5739  
RSA 2049                  1         0.0002   
RSA 2056                  5         0.0011   
RSA 2058                  2         0.0005   
RSA 2064                  1         0.0002   
RSA 2080                  2         0.0005
RSA 2084                  8         0.0018
RSA 2345                  1         0.0002
RSA 2408                  2         0.0005
RSA 2432                  11        0.0025
RSA 2536                  1         0.0002
RSA 3050                  1         0.0002
RSA 3072                  61        0.014
RSA 3096                  1         0.0002
RSA 3248                  3         0.0007
RSA 3600                  1         0.0002
RSA 4046                  2         0.0005
RSA 4048                  2         0.0005
RSA 4056                  4         0.0009
RSA 4069                  1         0.0002
RSA 4086                  2         0.0005
RSA 4092                  4         0.0009
RSA 4096                  14038     3.2198
RSA 4098                  2         0.0005
RSA 4192                  1         0.0002
RSA 8192                  5         0.0011
RSA/ECDSA Dual Stack      12472     2.8606

OCSP stapling             Count     Percent
-------------------------+---------+--------
Supported                 60520     13.8811
Unsupported               375467    86.1189

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      44800     10.2755
SSL2 Only                 5536      1.2698
SSL3                      302890    69.4723
SSL3 Only                 2971      0.6814
SSL3 or TLS1 Only         109447    25.1033
TLS1                      426128    97.7387
TLS1 Only                 22838     5.2382
TLS1.1                    270662    62.0803
TLS1.1 Only               25        0.0057
TLS1.1 or up Only         610       0.1399
TLS1.2                    279090    64.0134
TLS1.2 Only               441       0.1011
TLS1.2, 1.0 but not 1.1   12266     2.8134

Detailed trust chain statistics

Statistics from 484280 chains provided by 627529 hosts

Server provided chains    Count     Percent
-------------------------+---------+-------
complete                  403421    64.2872
incomplete                30809     4.9096
untrusted                 193299    30.8032

Trusted chain statistics
========================

Chain length              Count     Percent
-------------------------+---------+-------
2                         2084      0.4303
3                         460867    95.1654
4                         21301     4.3985
5                         28        0.0058

CA key size in chains     Count
-------------------------+---------
ECDSA 256                 20950     
ECDSA 384                 20950     
RSA 1024                  1362      
RSA 2045                  1         
RSA 2048                  915053    
RSA 4096                  29517     

Chains with CA key        Count     Percent
-------------------------+---------+-------
ECDSA 256                 20950     4.326
ECDSA 384                 20950     4.326
RSA 1024                  1357      0.2802
RSA 2045                  1         0.0002
RSA 2048                  461970    95.3932
RSA 4096                  29113     6.0116

Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384              20950     
sha1WithRSAEncryption          377133    
sha256WithRSAEncryption        68752     
sha384WithRSAEncryption        36708     
sha512WithRSAEncryption        10        

Eff. host cert chain LoS  Count     Percent
-------------------------+---------+-------
80                        377698    77.9917
112                       85631     17.6821
128                       20951     4.3262

Common Root CAs                               Count     Percent
---------------------------------------------+---------+-------
(2c543cd1) GeoTrust Global CA                 118634    24.497
(157753a5) AddTrust External CA Root          75645     15.6201
(5ad8a5d6) GlobalSign Root CA                 56056     11.5751
(cbf06781) Go Daddy Root Certificate Authorit 34301     7.0829
(2e4eed3c) thawte Primary Root CA             27922     5.7657
(b204d74a) VeriSign Class 3 Public Primary Ce 27262     5.6294
(244b5494) DigiCert High Assurance EV Root CA 23640     4.8815
(eed8c118) COMODO ECC Certification Authority 20947     4.3254
(f081611a) The Go Daddy Group, Inc.           21077     4.3522
(b13cc6df) UTN-USERFirst-Hardware             13019     2.6883
(653b494a) Baltimore CyberTrust Root          11115     2.2952
(40547a79) COMODO Certification Authority     10071     2.0796
(ae8153b9) StartCom Certification Authority   8762      1.8093
(f387163d) Starfield Technologies, Inc.       8273      1.7083

The scan was performed between 13th and 24th of October 2014.

POODLE attack

Unfortunately the script I’m using to acquire the statistics isn’t fast, people responsible for the zmap network scanner have performed a quick look at both Alexa Top 1 Million domains as well as the IPv4 address space.

In short, they found 1186 sites (0.02% of Alexa top 1M) to support SSLv3 as the highest TLS version. At the same time, 96.9% support SSLv3. If we take a look on all of IPv4 address space, the percentage rises to 0.8% and 98.1% respectively.

Head over to their article for details.

RSA and ECDSA performance

As servers negotiate TLS connection, few things need to happen. Among them, a master key needs to be  negotiated to secure the connection and the client needs to be able to verify that the server it connected to is the one it intended to connect to. This happens by virtue of key exchange, either RSA, finite field Diffie Hellman (DH) or Elliptic Curve Diffie Hellman (ECDH). The server itself can be identified using either RSA or Elliptic Curve Digital Signature Algorithm (ECDSA) based certificates. All of them have their strong sides and weak sides, so let’s quickly go through them.

RSA key exchange

This way of deriving the key securing the connection is the simplest of the mentioned. It is supported by virtually all the clients and all the servers out there. Its strong point is relative high performance at small key sizes. Unfortunately, it doesn’t provide Forward Secrecy (PFS), which means that in case of private key leak all previous communication will be possible to decrypt.

Side note: while the acronym PFS stands for “Perfect Forward Secrecy”, the term “Perfect” comes from cryptography where it has a slightly different meaning than in vernacular. To limit confusion I’ll be calling it just “Forward Secrecy”.

Finite field Diffie-Hellman key exchange

Forward Secrecy is the prime feature of the ephemeral version of Diffie–Hellman. Its main drawback is high computational cost. Additionally, not all clients support it with RSA authentication, all versions of Internet Explorer being the prime example. While there exist a non ephemeral version of DH, it doesn’t support PFS nor has widespread support so we will ignore it for now.

Elliptic Curve Diffie-Hellman key exchange

ECDH is the new kid on the block, this means that it is supported only by relatively new clients. The strong points are low computational cost and much smaller key sizes for the same security levels. Similarly to DH, there exist ephemeral and non ephemeral version of it, the latter has limited support in clients and does not provide PFS.

RSA authentication

It’s the venerable and widely supported cryptosystem. Supported by virtually anything that has support for TLS or SSL. With us since the SSLv2. Unfortunately it’s starting to show its age, performance at key sizes providing 128 bit level of security is rather low and certificates are starting to get rather large (over 1KiB in size for 3072 bit RSA).

ECDSA authentication

Elliptic Curve Digital Signature Algorithm, just like ECDH is a new cryptosystem. This causes it to suffer from same problem: no support for it in old clients. It does use much smaller key sizes for the same security margins and is less computationally intensive than RSA.

Benchmarking

While the key exchanges and authentication mechanisms are relatively separate, in TLS the ciphersuites limit the available options. In fact, for the ECDSA ciphers, only ECDH key exchange is available. Or to spell it out, I could test only following configurations:

RSA key exchange - RSA authentication
DHE key exchange - RSA authentication
ECDHE key exchange - RSA authentication
ECDHE key exchagne - ECDSA authentication

The tested key sizes were: 1024 bit RSA as the recently obsoleted commonly used size, 2048 bit RSA as the current standard key size, 3072 bit as the recommended key size for systems that have to remain secure for foreseeable future, 4096 bit as the minimal size that matches the existing CA key sizes and is secure for foreseeable future (as there are virtually no commercial CAs that have 3072 bit key sizes) and finally 256 bit ECDSA as the recommended key size for secure systems for foreseeable future.

The tests were done on Atom D525 @ 1.8GHz with 4GiB of RAM (as an example of lowest performance on a relatively modern hardware) and used httpd-2.4.10-1.fc20.x86_64, mod_ssl-2.4.10-1.fc20.x86_64 with openssl-1.0.1e-39.fc20.x86_64. Interestingly, while this CPU has SSSE3, it doesn’t have AES-NI or SSE4.1, this makes AES-128-GCM faster than AES-128-CBC (50.7MiB/s vs 27.8MiB/s). Every query from client has downloaded 4KiB of data. The graphs show the maximum performance while serving concurrent users (usually around 8-10 at the same time).

So, lets compare RSA authenticated ciphers performance.

rsa-performance

Performance of different RSA key sizes

We can clearly see that that using non PFS enabled key exchanges brings huge performance improvements for legacy key sizes. RSA key exchange at 1024 bit is actually over 3.4 times faster than DHE key exchange. At this small sizes, using 256 bit ECDHE also doesn’t show much performance advantage over DHE, it is just 11% faster (note though that it is also comparable to 3072 bit DHE in security level).

Going to 2048 bit RSA, the performance advantage of not using PFS ciphers quickly shrinks. Here using RSA key exchange over 1024 bit DHE gives about 78% more performance. This configuration, while common because of lack of support of higher DHE parameter sizes in older Apache servers, doesn’t really provide higher security against targeted attack than use of 1024 bit RSA. Use of ECDHE is also looking much more interesting, at only 40% penalty compared to RSA key exchange. Using DHE key exchange with matching parameter sizes give performance that is nearly 7 times slower than pure RSA.

ECDHE shows its real potential at the 3072 bit RSA key size where while providing PFS with matching level of security it requires just 26% more computing power, again outperforming 1024 bit DHE. The ephemeral DH with matching key size gives a truly abysmal 800% drop in performance.

At the 4096 bit level, where the 256 bit ECDHE is the weaker link, pure RSA key exchange is just 18% more power hungry.

So, how does it compare to ECDSA key exchange?

ECDSA vs RSA authenticated connections

ECDSA vs RSA authenticated connections

If we use the currently acceptable 2048 bit RSA key exchange, it will turn out that the RSA is about 3% faster than the combination of ECDHE key exchange and ECDSA authentication (both using 256 bit curve). But if the required security level reaches 128 bits or PFS is required ECDSA with ECDHE is much faster.

ECDHE and  ECDSA with 256 bit curves is 2.7 times faster than 2048 bit RSA with 256 bit ECDHE and 3.4 times faster than 3072 bit RSA alone!

Apache

In other words, if you’re running Apache web servers you should consider using two certificates for the same site (unfortunately nginx doesn’t support multiple certificates for the same site, there was some progress in the past but I haven’t seen it come into fruition). This will allow to negotiate RSA cipher suites with the legacy clients while it will provide lessened load on the server with modern clients.

The configuration is also relatively simple, you just need to specify certificate and key file twice:

SSLCertificateFile /etc/pki/tls/certs/example.com-RSA.crt
SSLCertificateKeyFile /etc/pki/tls/private/example.com-RSA.key
SSLCertificateFile /etc/pki/tls/certs/example.com-ECDSA.crt
SSLCertificateKeyFile /etc/pki/tls/private/example.com-ECDSA.key

and make sure that your SSLCipherSuite doesn’t disable ECDSA authenticated ciphersuites (just check if this command outputs anything: openssl ciphers -v <cipher string from apache> | grep ECDHE-ECDSA).