Hi all

How do i ensure that ONLY TLSv1 is used to logon io.
What settings do i modify? in .ini

I'm guessing, change

;Encryption_Protocol = SSL3

to

Encryption_Protocol = TLS

I'm curious why you would want to limit it to TLS only? As far as I can tell the TLS, SSL3, and SSL2 just define a way to negotiate with the client so they can agree on an encryption protocol to use and some options to enable (see 'OpenSSL_Options'). There are a number of other more subtle differences but I think the REAL question is which encryption protocols you want to support! That is controlled by 'OpenSSL_Ciphers = DEFAULT:!LOW:!EXPORT' which I have set up to ban the lamest ciphers by default...

Fair warning, if you limit OpenSSL to TLS you also limit FXP connections to other servers to TLS only. Sometimes that is OK and other times it might not be, don't be surprised if FXP transfers have issues.

In the future maybe I'll add support for FXP only settings, but right now the control connection and data transfer share the same context because of host fingerprinting, tickets, etc.

My motivation was to only allow the BEST/Strongest encryption for my io, and as far i could read up was TLS, but as you said there was a few issus with clients other than FlashFXP

YiL: Would speed improve if one implemented AES-NI support in openssl for intel i5/i7 cpus?

Speeds would absolutely go up and CPU usage down if encryption used AES-NI. I don't think OpenSSL 1.0.0.x, which is what is currently available, supports it without applying a patch or using the development branch. If you look at OpenSSl-Changelog (http://www.openssl.org/news/changelog.html) you can see what I believe is support in v1.0.1 but it doesn't have a release date by it. Hopefully it will just test the hardware and enable itself automatically else I'll have to add a line or something because we don't use the generic OpenSSL configuration file.

If there's a patch that auto-enables it you can replace the OpenSSL libs since I don't modify them in any way so you can try builds from anyone. Currently ioFTPD and OpenSSL are built for all machines and OpenSSL uses the optional assembly language build for extra speed.

As I mentioned in a post somewhere here I've got a list of performance changes / notes to apply someday. However one of them I haven't done because it's been simpler not to, but if performance is an issue on a gbit LAN or something maybe we'll have to try it. ioFTPD is currently built with VS2008 with a target of all machines. I think faster performance can be gotten if I let the compiler use SSE/SSE2 and release that as a separate build because older machines wouldn't be able to run that. Perhaps I could add some sort of trivial check and output an error if users had the wrong version or something. I could even consider trying the Intel compiler and letting it do even more crazy stuff for newer machines which would probably speed things up.

The reason I mention that build stuff is because you may be able to find an Intel compiler generated core i3+ build using SSE4 instructions out there somewhere and if that would work you can replace the 2 OpenSSL libs and see what happens.

On a slightly different note, I could also play with the TCP window size. I think we're using 64K (the historical max) but now windows supports much larger advertised sizes. However ioFTPD doesn't seem to have any trouble on 100Mbit networks so it's been good enough for me :)

think there are patches out there that enables AES-NI if it's supported otherwise it just skips it, not sure though. As for SSE2 I think you should just enable it. Think support was enabled in athalon XP and pentium4/celeron. If people are using P3 it's time to upgrade =)

Wish intel would add AES-NI to their atom lineup but don't think thats gonna happen. It would make it perfect for server usage.

The patch I saw that supported it required defining something in the openssl config file to actually enable it and we don't use a config file so not sure what that means for us. Probably just a 1 line change, but I'm hoping 1.0.1 comes out before I have to worry about it :)

Forget the atom, you have to be careful even with the i5's! The entry level mobile core i5 used in most i5 laptops doesn't support AES-NI. What the heck...

i know, but it's retarded. AES-NI with low would be great for alot of things. Most cpu chipsets should support it today i5+.

Gooa look into Via padlock.