Bug ID 538639: P-256 ECDH performance improvements

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP All(all modules)

Known Affected Versions:
11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 12.0.0, 12.0.0 HF1, 12.0.0 HF2

Fixed In:
5.1.0, 12.1.0, 12.0.0 HF3, 11.6.1

Opened: Aug 07, 2015
Severity: 3-Major

Symptoms

Recent changes in the TLS clients to only use perfect forward secrecy (PFS) ciphersuites in default configuration may degrade TLS handshake rate on BIG-IP, may cause higher CPU utilization on the BIG-IP, or both. An example of a recent change is Apple iOS's App Transport Security changes to only enable ECDH ephemeral ciphersuites (the ciphersuites with the ECDHE suffix).

Impact

With this improvement, the TLS handshake rate with a ciphersuite ECDHE-RSA-AES128-GCM-SHA256 is expected to be ~50% higher on hardware platforms without Intel Cave Creek acceleration (released in 2015 and earlier). Internal testing has shown variations in the improvement between 20% and 80% with this enhancement. The comparison is against the current 12.0.x (or 11.6.x) release. The performance of ECDSA with P-256 was also improved. Conversely, previous versions of the BIG-IP will have correspondingly lower performance, or worse for older releases.

Conditions

Large portion of TLS client only offers *ECDHE* ciphersuites in their TLS CLientHello, the average size of the TLS session is small (e.g. in kilobytes), and the TLS session resumption is not used. In other words, the conditions such that the TLS handshakes likely negotiate ECDHE ciphersuites with short sessions.

Workaround

Order ciphersuite selection so that ECDH ciphersuites are least preferred. One method to accomplish this is to ensure that the clientssl profile's cipherstring contains 'ecdhe:ecdhe_ecdsa' at the end of the list. This will only matter/needed when non-PFS cipherssuites are allowed in the profile and are offered by the client.

Fix Information

Performance improvements for P-256 ECDH and ECDSA algorithms.

Behavior Change