search cancel

High CPU in SSL after upgrade to 6.7.x

book

Article ID: 173922

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

CPU was spiking in SSL 4k Key after upgrade.  

CPU 0                                              98%
SSL 4K Key                                     72%
SSL Handshakes                             7%

Please note that the additional breakdown of SSL usage in the CPU Monitor is only available in SG6.7.4 and later. Earlier versions of SGOS won’t have the same detailed breakdown in CPU monitor. 

Environment

In SGOS 6.7.x we increased the emulation key size for RSA certificates as documented in the release notes: 

Increased Key Sizes for Emulated Server Certificates


The key size supported for emulated DSA and ECDSA server certificates has been increased to 2048 bits. The key
size for emulated RSA server certificates is now matched up to a maximum of 4096 bits. For example, when the
ProxySG appliance intercepts a 4k RSA server certificate, it will emulate a 4k certificate 

 

It is possible that heavy use of intercepting web sites with 4K RSA keys might have a  larger impact on smaller platforms like the SG-S200 series.

 

 

 

 

Resolution

The adoption of 4K keys has been rather low so far (6% according to Qualys SSL Pulse stats: https://www.ssllabs.com/ssl-pulse/) but if you experience high cpu in SSL 4k then we recommend reducing the key size to 2k.

To do this access the ProxySG using ssh then type in "conf t" and then "ssl" and then "proxy force-emulated-cert-keysize 2048".

The full command including path would be:

proxy#(config ssl)proxy force-emulated-cert-keysize 2048

 

The release notes will be updated to include this information.