[Mono-dev] RSA and ECDH

Edward Ned Harvey (mono) edward.harvey.mono at clevertrove.com
Mon Feb 17 06:30:26 UTC 2014

> From: Sebastien Pouliot [mailto:sebastien.pouliot at gmail.com]
> Please re-read the TLS RFC (any of them) and tell me where you need to
> _generate_ an RSA keypair to establish an SSL/TLS connection ?!?

It seems I had a misunderstanding - I know, as long as the server only needs to generate a new cert once a year, that the 30-ish seconds necessary to generate the new server cert is irrelevant (especially because it's done non-interactively offline.)  I know the server is able to re-use its cert on many different connections.  And I know that clients *can* have their own reusable certs, but usually don't.  

I *thought* that clients that don't have their own certs would need to generate a keypair each time they connected to a server, in order to then negotiate the session-specific symmetric key.  But this seems to be false, as in testing a moment ago, I have a server with 3072 bit RSA private key in its self-signed cert, and the client only requires 1-2-ish seconds to create the SslStream and AuthenticateAsClient().  

I'll have to look into it more, but for now I'm sleepy, and content to put it off to another day.

More information about the Mono-devel-list mailing list