On 2016-03-16 17:56, Lukas Tribus wrote:
Some customers may require 4096 bit keys as it seems to be much more
decent than 2048 nowadays.
I've not come across any recommendations pointing in that direction, in
fact 2048-bit RSA are supposed to be safe for commercial use until
2030.
I don't think this is a real requirement from knowledgeable people, to
be frank.
That's almost always the case when talking about requirements.
In any case it doesn't make any sense because if your customer really
has
such huge requirements you may as well switch to ECC because you won't
be able to support old clients anyway.
I just compared the RSA one against ECC on ssllabs and it seems there's
no difference on the browser/device compatibility topic. So we should
indeed consider ECC keys.
That's still more than 96% difference compared to non-SSL
Well your are basically benchmarking your stack with a TLS specific
denial of service attack. Of course the same attack without TLS won't
have noticable effect on the stack. So that number is quite obviously
high.
Yeah but to me it looks like almost anybody else will be affected as
well when migrating to 100% https. A few hosts could easily take down
the site when disabling keep-alive and so on on the client while doing
some "valid" requests. So it's hard to noticed compared to http only,
because they can use much less requests, connections etc.
Thats why Apache will scale better currently, because its threading.
Hm, I haven't tried Apache yet but would that be a huge benefit
compared
to a setup using nbproc> 1?
I haven't tried it either, but yes, I would assume so. It also doesn't
block
other connections will handshaking new ones.
Regards,
Lukas
--
Regards,
Christian Ruppert
