I was looking at https://github.com/conda-forge/openssl-feedstock/blob/master/recipe/build.sh. According to Andy Polyakov, x86_64 can use the option enable-ec_nistp_64_gcc_128. The option will make ECDH run about 2x to 4x faster.
The option is mentioned at Compilation and Installation | Configure Options on the OpenSSL wiki.
The caveat to using enable-ec_nistp_64_gcc_128 is, it has some restrictions so it can't be used on all 64-bit platforms. As far as I know, it is only used on Intel 64-bit platforms.
So the Bash script might look like this:
case "$target_platform" in
linux-32)
_CONFIG_OPTS+=(linux-generic32)
CFLAGS="${CFLAGS} -Wa,--noexecstack"
;;
linux-64)
_CONFIG_OPTS+=(linux-x86_64 enable-ec_nistp_64_gcc_128)
CFLAGS="${CFLAGS} -Wa,--noexecstack"
;;
...I usually place enable-ec_nistp_64_gcc_128 with other configure options, like where no-ssl2, no-ssl3 and no-comp are added. I usually disable compression because it leads to information leaks in higher level protocols like HTTPS (re: CRIME and BREACH).
It might also be worth mentioning... build.sh uses no-zlib, but that is not no-comp. no-comp categorically disables compression regardless of zLib. When you configure with no-comp, then OPENSSL_NO_COMP will be defined and all compression paths will be disabled.
Another OpenSSL configure option you might be interested in is no-weak-ssl-ciphers. It used to disable RC4. I'm not sure what it disables in 2021.
I was looking at https://github.com/conda-forge/openssl-feedstock/blob/master/recipe/build.sh. According to Andy Polyakov, x86_64 can use the option
enable-ec_nistp_64_gcc_128. The option will make ECDH run about 2x to 4x faster.The option is mentioned at Compilation and Installation | Configure Options on the OpenSSL wiki.
The caveat to using
enable-ec_nistp_64_gcc_128is, it has some restrictions so it can't be used on all 64-bit platforms. As far as I know, it is only used on Intel 64-bit platforms.So the Bash script might look like this:
I usually place
enable-ec_nistp_64_gcc_128with other configure options, like whereno-ssl2,no-ssl3andno-compare added. I usually disable compression because it leads to information leaks in higher level protocols like HTTPS (re: CRIME and BREACH).It might also be worth mentioning...
build.shusesno-zlib, but that is notno-comp.no-compcategorically disables compression regardless of zLib. When you configure withno-comp, thenOPENSSL_NO_COMPwill be defined and all compression paths will be disabled.Another OpenSSL configure option you might be interested in is
no-weak-ssl-ciphers. It used to disable RC4. I'm not sure what it disables in 2021.