SSL certification is one of the most effective ways to bolster online security.
According to W3Techs, over 73% of domains utilize one of the nine most popular SSL certificate authorities that they monitor. SSL certificates with high key lengths are more secure, but can also impact SQL performance.
Developers must understand the relationship between SSL certificate key length and database queries. Here are some factors that they must weigh.
Higher RSA Key Lengths Require Greater Computational Power and Bandwidth
There is a strong correlation between RSA key length and computing resources required to run your SQL certificates. This creates a dampening effect on your bandwidth, thereby hurting SQL performance.
However, the impact is usually minimal. According to research presented by Robert Gibb, a former
security expert at MaxCDN, the average SSL certificate only causes a 1-2% decline in web performance.
This sacrifice is so negligible that the average ecommerce site won’t even take it into consideration. What’s more online store builders and other website platforms are getting better at optimizing SSL certifications and SQL performance.
However, there is a clear tradeoff between SSL key length and web performance. Domains utilizing 4096 bit encryption or higher tend to notice a sharp decline in performance. Developers that don’t want to observe a noticeable decline in performance should stick to using an RSA with a 2048 bit key length. According to MSSQL Tips, this key length usually provides more than adequate security.
“Given that SQL Server supports a 2048 key length, this is probably the best option to choose. NIST estimates that it’ll be 2030 before 2048 bit key lengths will be in danger. Also, if you’re encrypting a large amount of data, the recommendation is to encrypt using a symmetric key algorithm and to protect that algorithm’s key using an asymmetric encryption algorithm.”
However, there are instances when a higher RSA key length is necessary.
Solutions to Increase SSL Performance
Fortunately, there are ways to increase web performance if SSL becomes a performance damper.
Choose Symmetric Key Algorithms Based on Implementation Needs
SSL environments are often built for specific implementation needs. Solutions with DES symmetric key algorithms are built primarily for running fast hardware implementations. SSL solutions with AES symmetric key algorithms can run much faster in software implementations.
It’s important to consider your implementation needs and choose symmetric key algorithms accordingly.
Use ssl_ciphers Directive
The ssl_ciphers directive should be used for all SSL applications. It instructs the client to only allow SSL/TLS ciphers and versions with the required SSL/TLS strength. However, it has another, less frequently used purpose. It can limit unnecessary connections that drain bandwidth and hinder SQL performance.
Test OpenSSL on Your Server
Too many developers use an industry standard benchmark when choosing RSA key lengths. It’s important to be aware of the OpenSSL environment you are using and the way it interacts with your server first. While a 2048 bit certificate is ideal for most applications, it may be excessive if you are using a newer OpenSSL solution.
Instead of choosing an arbitrary RSA key length, you should test different RSA key lengths on your server. You may find that a certificate with a shorter RSA key length meets your security requirements without hindering performance.
Improve the Three-Way Handshake
There are different ways TCP connections can be implemented, but they usually follow the steps outlined below:
• The client server submits a connection request.
• The request is acknowledged by the connecting server.
• Another acknowledgement is forwarded to the other server.
Since there are three separate connection requests, the process can be stifled if any of them take too much time. The process should take between 250 and 500 milliseconds, but it can take longer if there are problems with the connection. You can significantly improve the connection speed and SQL performance by optimizing the handshake.
There are several ways to optimize your three-way handshake:
• Use TLS session resumption. This means that you will only have to make the handshake to connect to servers for the first time. If they have connected recently, you can use the same TLS options from the last connection.
• Use domain sharding or resource caching to minimize the handshake.
These shortcuts can significantly improve performance without excessively limiting security.