Updating ssl certificate
Quality of implementation matters — no argument there — and you should do your due diligence.That said, you need to test on your own hardware and with realistic traffic patterns to get an accurate picture of what works best for your specific workload.
Also, ensure you expire and rotate your sessions and session ticket keys in a secure manner, especially when forward secrecy is enabled.As a result, it may well be the case that you will be able to handle more users with fewer resources.One possible route is to leverage TCP Fast Open, which would allow us to send the Client Hello within the TCP SYN packet — that would cut another RTT.Mozilla maintains a wiki page with a recommended ciphersuite list and server configuration tips.Both resumption and TLS False Start eliminate an extra roundtrip from the TLS handshake.In practical deployment, we found that enabling and prioritizing ECDHE cipher suites actually caused negligible increase in CPU usage.
HTTP keepalives and session resumption mean that most requests do not require a full handshake, so handshake operations do not dominate our CPU usage.
Many people believe that SSL/TLS takes a lot of CPU time and we hope the preceding numbers will help to dispel that.
We have deployed TLS at a large scale using both hardware and software load balancers.
ECC certificates offer stronger security and smaller certificates - e.g.
a 256-bit ECC key is equivalent to a 3072-bit RSA key.
Data delivered over an unencrypted channel is insecure, untrustworthy, and trivially intercepted.