What I am mostly looking for is some clue as to what would be a good default
for how often to force renegotiation: every megabyte? Every ten megabytes?
Every 100 megabytes?
The data is "one-way" (client to server only) and what I would call "medium
sensitive": typically no national secrets or credit card numbers, but lots
of userids and critical filenames. (Commercial "multi-purpose" application
so a little difficult to predict *exactly* what the data will be.) The data
is also highly repetitive (which I understand makes it easier to crack). It
might also be possible for a rogue to "force" a predictable stream of data
by taking a particular action.
The server would typically be on a private network but might in some cases
be Internet-facing. The server would typically be long-running (weeks
without a restart). I am using OpenSSL 1.0.1c 10 May 2012.
On 2012-08-20 08:39 -0400 (Mon), Charles Mills wrote:
> What I am mostly looking for is some clue as to what would be a good default
> for how often to force renegotiation: every megabyte? Every ten megabytes?
> Every 100 megabytes?
While we're at it, I've got a long-running application as well, and
as well as similarly long-running connections, I'm wondering what, if
anything, I need to do about re-seeding OpenSSL's PRNG. How long is
it safe to leave it running in a moderately busy system (several TLS
connections per second), and is that even the metric one should use?
It is easier to write an incorrect program than understand a correct one.
--Alan Perlis, Epigrams on Programming (#7)
OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email]