Hello, When testing renegotiation I noticed that client at any time (in most cases) may start renegotiation process - that is ok :-) In renegotiation, most time-consuming part for server is decrypting client pre-shared-key with its RSA private key (very slow and time-consuming comparing to RSA public key operation). If client will request renegotiation after renegotiation then server may slow down. If client will open many ssl connections with renegotiation active all time, we may have VERY high cpu usage.
You can, for example, test this with command: "while true; do echo R; done | openssl s_client -connect ssl_host:443" Maybe there should be added something like "renegotiation_rate" ? Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
