My everyday job is to find solutions to optimize systems that are working but that could also be better / faster / cheaper. Today, we’ll look on how to optimize your SSL / HTTPS layer for your webserver.

The problem :

The problem is that we want our webserver to provide a secure channel to our clients and to be as fast as possible to deliver all of our content. But the SSL layer usually adds up a large overhead to any http request, simply because data needs to be encrypted or decrypted (depending if we send or receive data ).

In a world where we CPU performances were increasing all the time, we could simply invest on a new, better performing, server hardware. It would be a bit pricy but would do the trick for a while. Unfortunately, that would really help you to scale much. You could also invest on a dedicated SSL hardware appliance but since that would cost you an arm and we need that arm to type on the keyboard, I digress, we would prefer something a bit smarter.

So, what’s the solution ?

The solution is simply to understand what is SSL. SSL is a suit of ciphers. All ciphers are mathematic formulas in a package that helps you to use them. But some ciphers are less ressource-consuming than others, some are dedicated to streams and others are not.

When you configure your webserver, you generally enter the following line:

SSLCipherSuite HIGH:+MEDIUM:+LOW

This tells you webserver  that it supports:

• ALL HIGH security ciphers,
• ALL Medium,
• ALL Low

You web-browser will then pick on in the list (generally the most secure) and start to use it. Unfortunately, this means that you will end up using AES256 which is VERY resource consuming.

How can I tell my webserver to use which cipher ?

Well, for Apache, you just have to enter the following line :

SSLCipherSuite RC4+RSA:HIGH:+MEDIUM:+LOW

This will force your webserver to present at first the RC4 protocol and not our AES256 friend. In case of a browser who wouldn’t understand RC4, you can always fallback to AES256 and back all the medium and low ciphers.

In case, you would have doubt about the security provided by RC4 ( after all, the protocol has been used in WEP ), you should be convinced that a proper implementation of RC4 is very secure even with a 128bits long key.

3 … 2 … 1 … GO !

Comparing AES256 and RC4 (using a 128 bit key) wouldn’t be fair. Let’s compare what is comparable : AES128 and RC4( using a 128bit key).

SSLCipherSuite AES128+RSA:HIGH:+MEDIUM:+LOW

and

SSLCipherSuite RC4+RSA:HIGH:+MEDIUM:+LOW

Conclusion

You can see, that you have a nice performance boost for the price of 0.00$/€. Isn’t life great ?

Eric A. Meyer explain the line-height CSS property. And it does it well. Feel free to check the w3c documentation for further (usefull) information.