CPU was spiking in SSL 4k Key after upgrade.
CPU 0 98%
SSL 4K Key 72%
SSL Handshakes 7%
Please note that the additional breakdown of SSL usage in the CPU Monitor is only available in SG6.7.4 and later. Earlier versions of SGOS won’t have the same detailed breakdown in CPU monitor.
In SGOS 6.7.x we increased the emulation key size for RSA certificates as documented in the release notes:
Increased Key Sizes for Emulated Server Certificates
The key size supported for emulated DSA and ECDSA server certificates has been increased to 2048 bits. The key
size for emulated RSA server certificates is now matched up to a maximum of 4096 bits. For example, when the
ProxySG appliance intercepts a 4k RSA server certificate, it will emulate a 4k certificate
It is possible that heavy use of intercepting web sites with 4K RSA keys might have a larger impact on smaller platforms like the SG-S200 series.
The adoption of 4K keys has been rather low so far (6% according to Qualys SSL Pulse stats: https://www.ssllabs.com/ssl-pulse/) but if you experience high cpu in SSL 4k then we recommend reducing the key size to 2k.
To do this access the ProxySG using ssh then type in "conf t" and then "ssl" and then "proxy force-emulated-cert-keysize 2048".
The full command including path would be:
proxy#(config ssl)proxy force-emulated-cert-keysize 2048
The release notes will be updated to include this information.