Page 1 of 2
tls 1.2 vs 1.3
Posted: Tue Feb 14, 2023 11:07 am
by SeeCwriter
Using v3.3.9 on a MOD5441X. When tls 1.2 is enabled my webpage loads in about 40-seconds, and I had to slow webpage updates/refreshes to every 2-seconds in order to work. When I enable tls 1.3, the webpage takes about 80-seconds to load, but is not able to update/refresh even at a 5-second rate. Everything I've read says that handshaking with tls 1.3 is faster and simpler. Is this normal?
Re: tls 1.2 vs 1.3
Posted: Wed Feb 15, 2023 10:03 am
by TomNB
Something seems wrong there. Try the unmodified ssl web demo example, then compare the differences to your code. Also, make sure you are in release mode, debug mode will be very slow since it can't use fast ram. Can you verify you are in release mode? What are your reload times for the ssl web demo?
Also, I think part of using 1.3 specifies that 1.2 must be disabled (need to verify this). Be sure you don't have to communicate with any devices that are not capable of 1.3 if that is the case.
Re: tls 1.2 vs 1.3
Posted: Tue Feb 21, 2023 8:39 am
by SeeCwriter
I only use release mode. I haven't used debug mode in years.
With tls 1.3 enabled, the ssl web demo example loads its webpage in 10-15 seconds. But it's loading less than 20k of data. My webpage contains 1.2MB of data consisting of html files, images, icons, and javascript files.
I haven't tried tls 1.2. And you are correct that when tls 1.3 is enabled that 1.2 is disabled.
Re: tls 1.2 vs 1.3
Posted: Tue Feb 21, 2023 1:48 pm
by TomNB
Hello,
1.2MB is a pretty hefty web page for an embedded device. What is the total used by images?
What are you using for the certificate? RSA is very slow, ECC much faster.
We have noticed a slow down in tls 1.3 with the latest wolf upgrade that is in 3.3.9. We are looking into that, but it will take a few weeks. I would stay with 1.2 if possible until we have those results.
With regard to tls 1.2 being disabled, here is the line in predef.h to enable 1.3:
//#define SSL_TLS_1_3_SUPPORT (1) // Enable support for TLS v1.3, disables support for TLS v1.2
So 1.2 is disabled when using 1.3.
Re: tls 1.2 vs 1.3
Posted: Tue Feb 28, 2023 7:46 am
by SeeCwriter
I mistakenly included some backup files in the total. The real webpage size is 625kB. Images are 89k, html is 162k, and javascript are 375k. I am using a self-generated ECC cert.
Would using websockets improve webpage loading?
Re: tls 1.2 vs 1.3
Posted: Wed Mar 01, 2023 8:19 am
by TomNB
Hello,
What key size are you using?
As previously mentioned, we have identified a speed issue with 3.3.9 and tls 1.3. Can you confirm the numbers you are now providing are for tls 1.2 and tls 1.3 is not enabled?
Re: tls 1.2 vs 1.3
Posted: Thu Mar 02, 2023 7:11 am
by SeeCwriter
I don't know what the key size is. I'm using whatever the self-generating cert produces. This is from predef.h that I'm using:
Code: Select all
#ifdef NB_SSL_SUPPORTED
#define SSL_TLS_SUPPORT (1)
#define WEB_CLIENT_SSL_SUPPORT (1)
#define SSL_DEFAULT_MAX_SESSION_AGE_TICKS (3600 * TICKS_PER_SECOND) // 1 Hour
#define TLS_CACHE_PEER_CERT_VALIDATIONS (1)
#define ENABLE_ED25519 (1)
//#define SSL_TLS_1_3_SUPPORT (1) // Enable support for TLS v1.3, disables support for TLS v1.2
#define ENABLE_AUTOCERT_REGEN (1) // Enable if autogenerated certificates should renew automatically when expired
#ifdef ENABLE_AUTOCERT_REGEN
#define AUTO_CERT_GEN_CHECK (60 * TICKS_PER_SECOND) // Every min
#endif
// Used to enable more robust ECC curves, at the expense of handshake speed
//#define ENABLE_ECC384 (1)
//#define ENABLE_ECC521 (1)
// Used to enable RSA 4K Keys
//#define ENABLE_RSA_4K (1)
#endif
I also commented out line 376 in file user_settings.h for the MOD54415 to ensure only ECC was used, which is:
Code: Select all
//#define ENABLE_RSAKEY_CREATE // Custom define, maybe should move to predef?
Re: tls 1.2 vs 1.3
Posted: Fri Mar 03, 2023 8:21 am
by TomNB
Hello,
After further testing, we have noticed the speed has decreased from release 3.3.8 to 3.3.9, as the new wolfSSL version 5.5 have different optimizations. We are working on a 3.4.0 release for mid to late March.
Re: tls 1.2 vs 1.3
Posted: Fri Mar 03, 2023 9:14 am
by SeeCwriter
Thank you for the update.
Re: tls 1.2 vs 1.3
Posted: Fri Mar 03, 2023 10:30 am
by TomNB
Something else I have noticed on my system. With BitDefender installed, it does it's own certificate check, and I see a bit defender cert, not just the netburner autogenerated cert. Looking into it now, but I think actually goes out and does it's own check in it's cloud database check, which takes more time. I've attached cert screen shots from firefox showing bit defender enabled vs disabled. Only a sample size of 1, but in my tests takes a lot longer when bitdefender is involved. I think that is what they call their zero-day attack feature.