Re: [HACKERS] Speed of SSL connections; cost of renegotiation

> >> So, questions for the group: where did the decision to renegotiate
> >> every 64K come from?  Do we need it at all?  Do we need it at such a
> >> short interval?  And if we do need it, shouldn't the logic be
> >> symmetric, so that renegotiations are forced during large input
> >> transfers as well as large output transfers?
> 
> > It doesn't look like there's any guidance from mod_ssl in Apache 2.0.
> 
> Yeah, I looked at mod_ssl before sending in my gripe.  AFAICT Apache
> *never* forces a renegotiation based on amount of data sent --- all
> that code is intended just to handle transitions between different
> webpages with different security settings.  So is that a precedent
> we can follow; or is it an optimization based on the assumption that
> not a lot of data will be transferred on any one web page?

I'd assume it's a precedent we can follow given that mod_ssl was
written by the same crew that did openssl.  That said, I hope that
Ralf knows his stuff, nevermind that I haven't seen anyone jump all
over Apache for not-renegotiating its keys (and quite a few folks have
looked at that).  My best guess is that you only have to key the
session once and only need to renegotiate that key if you change
cyphers or are worried about someone obtaining a key.... that said,
OpenSSH does rekey periodically, but I think those guys are overly
paranoid.  Even still, OpenSSH rekeys every 10min I think, not every
64K.

From sshd(8):
    -k key_gen_time            Specifies how often the ephemeral protocol version 1 server key            is
regenerated(default 3600 seconds, or one hour).  The motiva-            tion for regenerating the key fairly often is
thatthe key is not            stored anywhere, and after about an hour, it becomes impossible            to recover the
keyfor decrypting intercepted communications even            if the machine is cracked into or physically seized.  A
valueof            zero indicates that the key will never be regenerated.
 

Drat, close: once every hour.  I think it'd be safe to jack that puppy
pretty high or to use a time based rekeying, not data transfer based.
Seconds since epoc since last rekeying should always be less than
3600?  Don't know that we'd want to poll gettimeofday() does
postgresql have any timer code sitting around in the tree?

> (But even if you assume the latter, there are plenty of web pages
> with more than 64K of data.  It's hard to believe mod_ssl would be
> built like that if security demands a renegotiation every 64K or
> so.)

Hopefully it takes less than one hour for an HTTP request to go
through, regardless of the size.

-- 
Sean Chittenden