❦ 26 avril 2014 10:20 CEST, Willy Tarreau <[email protected]> :
>> > - ssl: Add standardized DH parameters >= 1024 bits
>> > (I still don't understand what this is about, I'm clearly far from
>> > being even an SSL novice). I have no idea whether it can be related
>> > or not, but at least you're using SSL so everything is possible.
>>
>> Since previously, the DH param was always 1024 bits and usually, key
>> sizes are 2048, I think that using a 2048 bits DH param adds a
>> performance impact but I never evaluated it since using a 1024 DHE param
>> is not unusual (or was not unusual, I am far to be up-to-date on
>> this). The impact should have been minimal since g is kept to 2 and this
>> is the important one (DHE is about g^a mod p where g and p are the DH
>> parameters) but we are nonetheless dealing with far more larger integers
>> and I suppose that the exponentiation has a performance hit when p gets
>> larger.
>>
>> The strength of RSA and DH are equivalent so using the same size
>> for both is definitively a good practice.
>
> OK thanks for explaining. Can't this be linked to the size of the keys
> or anything else ? I'm asking because we can hardly accept to divide
> the performance by 4 for users with no solution for them to work around
> the issue. We know what they'll do : revert and stay on the previous
> version which worked well for them.
In fact, I said that the performance impact should have been low, but
this is false. g is kept to 2, but the a in g^a mod p (a is the secret
number chosen by the server for the DH exchange) is a random number
between 0 and p - 1, so there is a big performance impact to use a 2048
bit DH parameter vs a 1024.
--
Use uniform input formats.
- The Elements of Programming Style (Kernighan & Plauger)
