Hi Alex,
On Wed, Nov 09, 2016 at 12:36:14PM +0000, Alex Bligh wrote:
> Whilst reviewing the TLS code, I found this:
>
> check_rv(gnutls_dh_params_init(&dh_params));
> check_rv(gnutls_dh_params_generate2(dh_params,
> gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH,
> GNUTLS_SEC_PARAM_MEDIUM
> )));
>
> This is called at the start of every TLS session. This seems an
> unreasonable overhead. My understanding is that in general you
> need only set DH parameters once ever (on a per-site basis), and
> certainly not per connection. Many servers use default DH parameters.
[...]
Right. I simply took that from the example in the GnuTLS documentation,
but I suppose you're probably right and we could do it once per
nbd-server run rather than once per STARTTLS command. On my laptop (a
reasonably recent Core i7) it takes about a second for the DH parameters
to be generated (in the debugger, at least), so it's certainly something
that might incur performance problems on less powerful hardware.
--
< ron> I mean, the main *practical* problem with C++, is there's like a dozen
people in the world who think they really understand all of its rules,
and pretty much all of them are just lying to themselves too.
-- #debian-devel, OFTC, 2016-02-12
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Nbd-general mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nbd-general
