Hello, On 05/22/2015 07:32 AM, Willy Tarreau wrote:
> That makes me think about something, as you advocated a long time ago > for increasing the dh-param default size. Do you think we should take > the opportunity of 1.6 to increase the default size ? It will use more > CPUs for people who migrate from 1.5 only, and such people are expected > to run tests during the migration anyway so they should not be surprized. I think that would be great! We could alter the warning so that people not explicitly setting the value in the configuration are aware that it is now set to 2048. >> If you cannot increase the DH key size above 1024-bit, please at least >> generate a custom DH group with the "openssl dhparam 2048" command, and >> add the result of this command to your certificate file. > > Does that improve the situation regarding the CPU usage ? I must confess > this is still very cryptic to me (no pun intended). Oh, I used the wrong group size on the openssl dhparam command, it should have been: openssl dhparam 1024 Otherwise it makes no sense, sorry about that. So yes, using a custom 1024-bit DH group instead of the default Oakley group 2 makes it a lot harder to do pre-computation while having no impact on the CPU usage. -- RĂ©mi
signature.asc
Description: OpenPGP digital signature