Re: [Nbd] STARTTLS and DH parameters and GnuTLS initialisation
- To: Alex Bligh <alex@...872...>
- Cc: "nbd-general@lists.sourceforge.net" <nbd-general@lists.sourceforge.net>
- Subject: Re: [Nbd] STARTTLS and DH parameters and GnuTLS initialisation
- From: Wouter Verhelst <w@...112...>
- Date: Wed, 9 Nov 2016 23:48:21 +0100
- Message-id: <20161109224821.x73tcjwfllqyeuo4@...3...>
- In-reply-to: <B6FB265D-AE20-479E-A7D1-3100CEBF0C71@...872...>
- References: <B6FB265D-AE20-479E-A7D1-3100CEBF0C71@...872...>
Hi Alex,
On Wed, Nov 09, 2016 at 12:36:14PM +0000, Alex Bligh wrote:
> Whilst reviewing the TLS code, I found this:
>
> check_rv(gnutls_dh_params_init(&dh_params));
> check_rv(gnutls_dh_params_generate2(dh_params,
> gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH,
> GNUTLS_SEC_PARAM_MEDIUM
> )));
>
> This is called at the start of every TLS session. This seems an
> unreasonable overhead. My understanding is that in general you
> need only set DH parameters once ever (on a per-site basis), and
> certainly not per connection. Many servers use default DH parameters.
[...]
Right. I simply took that from the example in the GnuTLS documentation,
but I suppose you're probably right and we could do it once per
nbd-server run rather than once per STARTTLS command. On my laptop (a
reasonably recent Core i7) it takes about a second for the DH parameters
to be generated (in the debugger, at least), so it's certainly something
that might incur performance problems on less powerful hardware.
--
< ron> I mean, the main *practical* problem with C++, is there's like a dozen
people in the world who think they really understand all of its rules,
and pretty much all of them are just lying to themselves too.
-- #debian-devel, OFTC, 2016-02-12
Reply to: