Hello all (and happy new year !),

A question about the RSA ephemeral keys

Pound generates N_RSA_KEYS (11) RSA  ephemeral keys every T_RSA_KEYS (300) 
seconds

Our pound server is running on a low performance PC and the thread dedicated 
to the RSA ephemeral keys generation is CPU consuming

My question : why does Pound generates the RSA ephemeral keys every 5 minutes 
?

According to E.Rescorla (SSL and TLS: Designing and building a secure 
systems): "RSA keys is computationnally expensive <snip>Typical key
lifetimes 
are on the order of a year or two and servers usaually generate a new 
ephemeral RSA key at most once a day. Often they'll generate it at server 
startup only and servers can stay up for weeks"

In addition, by looking at the mod_ssl code, the following comment :
" * |    RSA key generation is a time-consuming process. In many cases, a
 * |    low-priority process can be assigned the task of key generation.
 * |    Whenever a new key is completed, the existing temporary key can be
 * |    replaced with the new one.
 *
 * So we generated 512 and 1024 bit temporary keys on startup
 * which we now just handle out on demand...."

We could imagine a flag to modify the timer to generate this key ?

Thanks

Gaëtan

On Fri, 2006-01-06 at 15:46 +0100, Gaetan OFFREDO wrote:[...]

I doubt that key generation every 5 minutes is that much of a problem,
but we'll put a compile-time switch to let you change that. Expect it in
the next release.[...]