Skip to content

Commit

Permalink
switch keyType to ECDSA/EC256
Browse files Browse the repository at this point in the history 
To make a long story a little shorter, people have noticed that Traefik is slow and uses a lot of CPU when using RSA4096 (traefik/traefik#2673 (comment)). There was a PR a couple years ago to switch to ECDSA/EC256 as the default, but they decided that they didn’t want to change it until Traefik supported dual-certs (traefik/traefik#4993). Dual-cert functionality hasn’t happened in the interim (traefik/traefik#3483).

Cloudflare notes that ECDSA reduces the cost of the private key operation by a factor of 9.5x (https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-better-internet/).  On my server, CPU usage went down from 300% to 40% for Traefik.

ECDSA won't work with IE on Windows XP.  Edit /root/_mypaas/traefik.toml to switch to RSA4096 if you want to support IE on Windows XP.

If you are using a proxy/CDN like Cloudflare, you don't need to worry about ECDSA support since Cloudflare is handling the TLS connection to the client.
  • Loading branch information
@LilahTovMoon @almarklein
LilahTovMoon authored and almarklein committed Feb 12, 2021
1 parent 147097f commit c72f0e7
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions mypaas/server/_traefik.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@ def init_router():
# Enable Let's Encrypt
[certificatesResolvers.default.acme]
email = "EMAIL"
keyType = "EC256"
storage = "acme.json"
[certificatesResolvers.default.acme.httpchallenge]
entrypoint = "web"
Expand Down

0 comments on commit c72f0e7

Please sign in to comment.