[sr-dev] TLS key recommendation
Henning Westerholt
henning.westerholt at 1und1.de
Tue Oct 13 13:26:48 CEST 2009
On Dienstag, 13. Oktober 2009, Andrei Pelinescu-Onciul wrote:
> > > Try to avoid using keys larger then 1024 bytes. Large keys
> > > significantly slow down the TLS connection handshake, thus limiting
> > > the maximum SIP-router TLS connection rate.
> > > "
> > >
> > > Is this still a valid recommendation? Based on which size of
> > > CPU/system?
> >
> > Hi Olle,
> >
> > i'd think that today we should suggest a larger key. I've found this
> > page: http://www.keylength.com/en/compare/
> >
> > according to it newer sources suggest a value of at least 1536 bits for
> > asymmetric keys.
>
> IMHO 1024 keys are more then enough for normal SIP trafic.
>
> The recommandation of using smaller keys is still valid. Even on modern
> system encryption will eat a lot of CPU, and if you need to support
> several hundreds encrypted connections in the same time you'll quickly
> run into problems.
Hi Andrei,
ok, if you look at a really busy system then probably this will need to much
performance. And keeping the recommendations aside, its probably easier to
work around the crypto (i.e. bribe some admin, hack into the PC) in most cases
then to try to break it.
Regards,
Henning
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20091013/f31cfa05/attachment.htm>
More information about the sr-dev
mailing list