Closed gbougiakas closed 5 years ago
nomandera
commented
5 years ago RC4-MD5 has been deprecated as fastest cipher in nzbget
https://github.com/nzbget/nzbget/issues/611
I am tempted to suggest given just how much of a pain this would be to fix that we play a "wait and see" game
homerr
commented
5 years ago Due to the deprecation of RC4 of 'fastest cipher' upstream, at least for most things, I will close this off as making this change would mean rebasing the container to Ubuntu. If it the original request becomes a very sought after thing, we can discuss and look to see about rebasing the container to bring this support back.
guyspr
commented
5 years ago Hi, I am reopening this as I am one of the people who would benefit from RC4-MD5 being added again. On my system (an older NAS) MD5 is about 10 times faster than AES128 for larger files. So I would benefit greatly (in terms of download speeds) when I am able to use RC4-MD5 as a cipher.
nomandera
commented
5 years ago Confirming the suite is now
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
I see no sensible route to add it back in and I am unsure we even should even if we could.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808
Unless someone can suggest a sensible secure way to do this I would unfortunately suggest this issue is just a symptom of progress and unfixable
hugbug
commented
5 years ago @guyspr:
On my system (an older NAS) MD5 is about 10 times faster than AES128 for larger files.
10 times? In which tests? Definitely not in NZBGet.
These are results from my speed tests in NZBGet (MB/s):
| Dell Linux i7‑5600U |
PVR Linux ARMv7 |
NEO2 Linux ARMv8 |
|
|---|---|---|---|
| AES | 967 | 49 | 151 |
| RC4-MD5 | 375 | 65 | 55 |
ARMv7 is about 30% faster when using RC4. Other devices (with hardware AES support) are much faster with AES.
guyspr
commented
5 years ago @hugbug I run an intel J1800 which does not have AES NI support. When running openssl speed -elapsed -evp md5 I get speeds of 361777k while with AES-128-cbc I get speeds of 50178k. Seems quite like quite the significant difference to me.
With downloads, I do get about the same download speeds but the CPU load is much higher when using aes128 compared to md5, and the speed is much more inconsistent.
hugbug
commented
5 years ago You compare hashing function MD5 with cipher AES. You should compare RC4 to AES instead.
Anyway, real speed tests in nzbget (shown above) are more important than pure cipher tests from openssl benchmark. That's what I wanted to point out. Not agitating against RC4.
ArnoutVerbeken
commented
5 years ago So, I can understand that RC4-MD5 will not be supported anymore due to security issues. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808
But this is what most people used and which is still in the wiki on https://sabnzbd.org/wiki/advanced/ssl-ciphers.
So, can somebody change the wiki and can somebody inform us on what would be the best setting now on low-power devices that have benefitted the most from RC4-MD5?
tobbenb
commented
5 years ago @ArnoutVerbeken Regarding the wiki, you have to talk to sabnzbd about changing it.
They switched from LibreSSL to OpenSSL https://www.alpinelinux.org/posts/Alpine-3.9.0-released.html
which most probably does not support RC4 algorithms (which I know they are not the most secure) but they are the fastest (and more than adequate for usenet use)
Regards, George