On Thursday, May 28, 2015 2:29 PM, Lukas Tribus wrote: > >> If your refer to long EOL'ed system, then they probably don't support DHE > >> at all. > > > > Alas EOL'ed systems doesn't hinder its use - even if it unwise.. > > Thats not what I'm saying. What I'm saying is that since they are so old they > don't > even support DHE, therefor the dh group doesn't matter.
Ahhh, that makes sense - thanks for clearing that up. > > How much dos the size of my chosen DH group affect clients and the server > > when negotiating the > > connection? > > *Very* much on the server side. It will kill your CPU. OK, good to know (it was a bit unclear until now). > > Could I (at least in theory) make a 8192 bit DH group, and not expect any > > performance > > problems? > > Absolutely not, no, not even in theory. Don't do this. HAProxy users have had > severe performance > regression because of this. OK, thanks for clearing that up. Regards, Jens Dueholm Christensen Survey IT
