CPU spiking in SSL 4k Key:
CPU 0 98%
SSL 4K Key 72%
SSL Handshakes 7%
The emulation key size for RSA certificates in version 7.x is 4096 bits as documented in the release notes:
Increased Key Sizes for Emulated Server Certificates
The key size supported for emulated DSA and ECDSA server certificates has been increased to 2048 bits. The key
size for emulated RSA server certificates is now matched up to a maximum of 4096 bits. For example, when the
ProxySG appliance intercepts a 4k RSA server certificate, it will emulate a 4k certificate
It is possible that heavy use of intercepting web sites with 4K RSA keys might have a larger impact on smaller platforms like the SG-S200 series.
The adoption of 4K keys has been rather low so far (6% according to Qualys SSL Pulse stats: https://www.ssllabs.com/ssl-pulse/) but if you experience high cpu in SSL 4k then we recommend reducing the key size to 2k.
To do this access the ProxySG using ssh and execute the following commands.
proxy#conf t
proxy#(config)ssl
proxy#(config ssl)proxy force-emulated-cert-keysize 2048
The release notes will be updated to include this information.