Dear fellow knights,
in the last month and years we saw a steady increase in TLS encrypted http connections on our customer's proxies. Of course we use TLS inspection whenever possible. But due to the increased TLS load this leads to high CPU and some of the proxies are reaching their limit.
Usually we use a 4096bit RSA certificate for the SSL inspection proxy CA.
We increase the certification cache to 72 hours (proxy set-cert-cache-timeout 72) and leave the emulated certificate size at default, that should be 4069 bit max.
I was thinking about ways to decrease the burden for the proxy to do the TLS inspection. One idea is to decrease the certificate size.
Does somebody have any numbers how this influences the proxy throughput or CPU load?
1. decreasing the CA certificate size from 4096 to 2048 bit?
2 decreasing the size of the emulated certificates to 2048 bit?
3. Which of the above measures have greater performance impact?
The other idea was to use ECC certificates instead of RSA for the proxy CA and the emulated certificates. I know that the SSLV appliance supports ECC certificates but I was not able to find anything pointing in that direction for ProxySG. Is there ECC support for the proxy CA?
Best regards, Matthias