High CPU usage in SSL
search cancel

High CPU usage in SSL

book

Article ID: 173922

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

CPU spiking in SSL 4k Key: 

CPU 0                   98%
SSL 4K Key              72%
SSL Handshakes           7%

Environment

The emulation key size for RSA certificates in version 7.x is 4096 bits as documented in the release notes:

Increased Key Sizes for Emulated Server Certificates

The key size supported for emulated DSA and ECDSA server certificates has been increased to 2048 bits. The key
size for emulated RSA server certificates is now matched up to a maximum of 4096 bits. For example, when the
ProxySG appliance intercepts a 4k RSA server certificate, it will emulate a 4k certificate 

It is possible that heavy use of intercepting web sites with 4K RSA keys might have a  larger impact on smaller platforms like the SG-S200 series.

Resolution

The adoption of 4K keys has been rather low so far (6% according to Qualys SSL Pulse stats: https://www.ssllabs.com/ssl-pulse/) but if you experience high cpu in SSL 4k then we recommend reducing the key size to 2k.

To do this access the ProxySG using ssh and execute the following commands.

proxy#conf t
proxy#(config)ssl

proxy#(config ssl)proxy force-emulated-cert-keysize 2048

The release notes will be updated to include this information.