Secure One Services Group

Dear fellow knights,

in the last month and years we saw a steady increase in TLS encrypted http connections on our customer's proxies. Of course we use TLS inspection whenever possible. But due to the increased TLS load this leads to high CPU and some of the proxies are reaching their limit.

Usually we use a 4096bit RSA certificate for the SSL inspection proxy CA.

We increase the certification cache to 72 hours (proxy set-cert-cache-timeout 72) and leave the emulated certificate size at default, that should be 4069 bit max.

I was thinking about ways to decrease the burden for the proxy to do the TLS inspection. One idea is to decrease the certificate size.

Does somebody have any numbers how this influences the proxy throughput or CPU load?

1. decreasing the CA certificate size from 4096 to 2048 bit?

2 decreasing the size of the emulated certificates to 2048 bit?

3. Which of the above measures have greater performance impact?

The other idea was to use ECC certificates instead of RSA for the proxy CA and the emulated certificates. I know that the SSLV appliance supports ECC certificates but I was not able to find anything pointing in that direction for ProxySG. Is there ECC support for the proxy CA?

Best regards, Matthias

Hello Matthias,

"1. decreasing the CA certificate size from 4096 to 2048 bit?"

I think, no perfomance impact (or very small), cause it's used only in signing emulated certificates.

"2. decreasing the size of the emulated certificates to 2048 bit?"

If you use "proxy force-emulated-cert-keysize auto" (by default) and change it to "proxy force-emulated-cert-keysize 2048" - you can win only if your users are going to a lot of servers with 3K/4K certs. Checking the /SSL/Statistics - Certificate Emulation can be helpful. Usually I use "proxy force-emulated-cert-keysize 1024" in case proxy has heavy loading in SSL/Cryptography.

"3. The other idea was to use ECC certificates instead of RSA for the proxy CA and the emulated certificates. I know that the SSLV appliance supports ECC certificates but I was not able to find anything pointing in that direction for ProxySG. Is there ECC support for the proxy CA?"

Unfortunatelly, I can say - "no". I have tried to import ECC key (SGOS 6.7.4.1 - latest accessible), but proxy doesn't understand key begining with "-----BEGIN EC PRIVATE KEY-----".

Hi Pavel,

thanks for your response!

A keysize of 1024bit nowadays seems to be a little short. But as these keys are only used in the internal network the risk should not be to high. Does somebody have any measurements that confirm the performance improvements?

Is anybody from Symantec here who can confirm that ECC keys are on the roadmap? If not, I will open a feature request for that.

I hope the use of ECC keys will provide a performance boosts to the ProxySGs.

Best regards, Matthias

Hi Matthias,

"Does somebody have any measurements that confirm the performance improvements?"

Vendor's recommendations: https://support.symantec.com/en_US/article.TECH245157.html

"Lower the emulated certificate key size

With SSL-Interception, the ProxySG emulates on the fly the certificate copies of the original certificates from the websites.

Decrease the size of the ssl-interception private keys from the CLI:

proxy>enable
proxy#conf t
proxy#(config)ssl
proxy#(config ssl)proxy force-emulated-cert-keysize 1024"

I didn't see more than 5-7% CPU loading in real traffic between 1024 and 2048 (default).

I heard ECC in roadmap in SGOS 6.8.

BR,

Pavel