Shortly after we started offering service we had a few customers comment that our SSL speeds were a bit slower than their last provider. After researching the cause we noticed that a lot of providers default for much lower encryption (RC4-MD5) than we were using (AES256). Most people would agree that AES256 is a bit overkill for NNTPS, so we decided to lower our default cipher to AES128. After a few changes to our front-end server code we added the ability to offer the available ciphers by preference.

Current cipher list in order of preference:

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

As you can see, we still fully support AES256. Changing the default cipher will speed up our SSL connections and customers wanting AES256 can still select that by configuring their usenet client to request the stronger cipher. Should be a win/win for everyone!